Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 79 Next »

This document is in progress!

Summary

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubiKeys that will be used to securely generate and store these certificates.

Requirements

Requesting a YubiKey

Considerations

  • These docs are not the only way to accomplish the goal nor are YubiKeys the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
  • The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
    • A YubiKey can be passed through RDP session(s) (Windows only)
  • Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
  • Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.


Process Overview

I. Initialize/Configure YubiKey
II. Determine which certificate to use
III. Submit certificate for verification
IV. Configure clients to use certificates
V. Next steps

I. Initialize/Configure YubiKey

New Setup

  1. Run the YubiKey Manager application and insert your key

  2. Click on Applications and then click on PIV


  3. Change PIN if YubiKey is fresh out of the box or it's been defaulted

    skip to (II. Determine Which Certificate to Use) if YubiKey is already initialized

    1. Click on Configure PINs

    2. The PIN used to unlock and utilize the certificates on the YubiKey. You will have 3 tries to input the correct PIN.

      Click Change PIN and then check Use default (if it is default).
      Choose a PIN between 6 - 8 characters.
      Finish with changing PIN by clicking on Change PIN


    3. The PUK is used to unblock the PIN if it becomes locked. You will have 3 tries to unblock the PIN.

      Click on Change PUK and then check Use default (if it is default).
      Choose a PUK between 6 - 8 characters.
      Finish with changing PUK by clicking on Change PUK



    4. The Management Key is utilized for all PIV operations on the YubiKey. This will be needed when generating new certificates.
      This will be needed in the next section.
      You should store this in a secure repository.

      The Management Key is needed in creating a certificate.

      The Management Key is longer than what is visible. It should be 64 characters long.

      You need to store this in a secure repository.


      Click on Change Management Key and then check Use default (if it is default).
      Click on Generate a few times to randomly create a new management key.
      Choose AES256 as Algorithm.
      Finish with changing the key by clicking on Finish


II. Determine which certificate to use

The following is a suggested determination of which certificate process to follow. If you feel comfortable deviating, feel free to do so.


If you plan on utilizing your YubiKey to login into Windows workstations or Windows servers via RDP (from a Windows workstation) you need a Windows CA-issued certificated. Otherwise, a self-signed certificate is sufficient.


 Windows CA-issued Certificate

Prerequisites

  • Active Directory account
  • Windows domain-bound machine (necessary for Step 2)

    • Logged in as the account that will appear on the certificate

      Find someone on Systems or IA team

    • Account is member of CLAWS managed group its-certs-smartcard

      • Once added, you need to logout and login after to be part of the group
        OR

      • Connect to a remote machine to perform Step 2

Enrollment

The PIN and Management Key will be needed to configure each certificate.

  1. Go back to Applications and then PIV

    1. Click on Configure Certificates

    2. Click on Authentication (Slot 9a) and then Generate

      Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)

    3. Check the radio for Certificate Signing Request and then click Next

    4. Select RSA2048 and then click on Next
        
    5. Input a decent subject text (ala username) and then click on Next
    6. The next page gives you a summary of what you've done. When you click Generate, it will open a save dialog to save the .csr file.


  2. Request the Certificate from the Active Directory Certificate Authority

    Open PowerShell and navigate to where you saved the .csr file

    cd <directory where csr file is saved>

    Run the following command to request a certificate from ADCS. You will need to click on RIT AD Signing CA (Kerberos) - itscaad01.ad.rit.edu when the popup appears.

    certreq -submit -attrib "CertificateTemplate:YubicoSC" <csr file> <crt file>


    You may see the following message:

    Certificate retrieved(Issued) Issued  Invalid Issuance Policies:  1.3.6.1.4.1.311.21.8.1243817.6959666.9847190.948791.4713993.230.1.401

    Disregard the Invalid Issuance Policies for now. As long as you get Certificate retrieved(Issued), you will be good to continue moving forward.

  3. Once .crt file is obtained successfully, go back to YubiKey Manager application
    1. If you closed the application, go to ApplicationsPIV Configure CertificatesAuthentication
    2. Click on Import
    3. A dialog box will pop up to select the .crt file from Step 5.
    4. Once the certificate is imported, you'll see the details populated in the application


  4. Once complete, remove and re-insert the YubiKey for the certificate to be seen (specifically in Windows).


OR


 Self-Signed Certificate

Enrollment

The PIN and Management Key will be needed to configure each certificate.

  1. Go back to Applications and then PIV

    1. Click on Configure Certificates

    2. Click on Authentication (Slot 9a) and then Generate

      Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)

    3. Check the radio for Self-signed Certificate and then click Next

    4. Select RSA2048 and then click on Next
        
    5. Input a decent subject text (ala username) and then click on Next

    6. Input a reasonable expiration time

      Current implementation does not care about expiration, so have fun with the date.

      For example, I chose my expected retirement date (not reflected in the picture below).


    7. The next page gives you a summary of what you've done. Click Generate whenever you are ready.
    8. You should then see the certificate in the slot you specified
  2. Once complete, remove and re-insert the YubiKey for the certificate to be seen (specifically in Windows).

III. Submit certificate for verification


 YubiKey Attestation and Submission

Unable to render {include} The included page could not be found.

IV. Configure clients to use certificates

Windows: IV. YubiKey Windows SSH Client Configuration


Mac: IV. YubiKey Mac SSH Client Configuration


Linux: IV. YubiKey Linux SSH Client Configuration


V. Next steps

YubiKey Duo Setup - start.rit.edu/Duo

Other uses for certificates

Other uses of YubiKeys

Troubleshooting

  • No labels