implementing the yubikey at fermilab
play

Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom - PowerPoint PPT Presentation

Mar 16, 2023 •426 likes •714 views

FERMILAB-SLIDES-19-031-CD Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories Information Technology Summit 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No.

  1. FERMILAB-SLIDES-19-031-CD Implementing the Yubikey at Fermilab Saúl González and Al Lilianstrom National Laboratories Information Technology Summit 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

  2. Implementing the Yubikey at Fermilab Fermilab, America's particle physics and accelerator laboratory, is an open science facility. Fermilab started limited use of DOE issued PIV-I cards for elevated access to services as part of the 2016 DOE mandate. With FIPS 140-2 validated Yubikeys now available Fermilab has begun a much broader implementation using the Yubikey as a PIV-I Smart Card, not only to replace the DOE issued cards, but to expand the usage to more users and services as well as network access. This talk will cover Yubikey provisioning and lifecycle management, authentication service configuration, integration with existing applications and account lifecycle processes, and usage across the unique Fermilab infrastructure. Track - Infrastructure/Operations FERMILAB-SLIDES-19-031-CD 2 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  3. About Fermilab Fermilab is America's particle physics and accelerator laboratory. – Our vision is to solve the mysteries of matter, energy, space and time for the benefit of all. We strive to: • lead the world in neutrino science with particle accelerators • lead the nation in the development of particle colliders and their use for scientific discovery • advance particle physics through measurements of the cosmos Our mission is to drive discovery by: – building and operating world-leading accelerator and detector facilities – performing pioneering research with national and global partners – developing new technologies for science that support U.S. industrial competitiveness www.fnal.gov 3 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  4. The Fermilab Environment • Fermilab is an Open Science Laboratory • Fermilab's 1,750 employees include scientists and engineers from all around the world. – Currently hosting over 4000 users • Fermilab collaborates with more than 50 countries on physics experiments based in the United States and elsewhere. 4 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  5. Timeline • PIV Rollout – September 2016 – Focus on “privileged access” • Authentication admins • Network admins • PII – Small distribution • HID ActiveKey evaluation – Summer 2017 – Undertaken by the Authentication Services Group • Goal was to find an ActiveClient compatible smartcard for use with our Certificate Authority • Yubikey evaluation – Fall 2017 • Yubikey rollout – Spring 2019 5 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  6. Authentication Overview 6 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  7. Infrastructure • Certificate Authority Servers – Microsoft Certificate Services integrated with Active Directory • Offline Root CA • Subordinate CAs for each Active Directory domain – User and computer certificates are issued from the subordinate CA – Certificates for the Root and Subordinate should be published to Active Directory to deploy to all domain members – Non-domain computers will have to add them • BYOD • Non-Windows – Managed and Stand-alone 7 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  8. Infrastructure • Certificate Revocation List – CRLs are hosted on a central web server • CRLs are updated hourly on the subordinate CAs and copied to the web server with a PowerShell script • Offline Root CA CRL is published and copied to the central web server as part of the monthly patching process • Exception was required to site policy as a CRL must be located on a plain HTTP site – Certificates had to be reissued as the CRL evolved • Individual CA server – Central web server 8 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  9. Infrastructure • Domain Controllers – Host certificates for DCs must support Smart Card authentication • No issue for the Microsoft CA Service – Unless there are existing host certificates enabling SSL for LDAP over SSL • The use of different certificate stores resolves this problem 9 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  10. Yubikey • Database – Yubikey serial number – PUK – Management key – Username – Management data • Identity proofing – HR business process – Employees and on-premise contractors only at this time 10 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  11. Work Flow Enrollment-Yubikey.ps1 Unblock-PIN.ps1 Reset — Yubikey.ps1 Get-Yubikey-List.ps1 Get-Yubikey-Report.ps1 Get-Yubikey-Stats.ps1 Revoke- Database Notice Admin Terminal Server Revoke-Certificate-Notification.ps1 CA Server 11 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  12. Yubikey • Issuance – PowerShell script • Integrated with Active Directory – Dedicated workstation • SmartCard authentication required • Special accounts that are only able to issue smart cards. 12 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  13. Yubikey • Other functions – Replacement • Lost or damaged – Clearing • Termination – Pin/PUK reset • Yubikey locks after 5 bad PIN attempts – With the Replacement or Clearing options the previously issued certificate is set in the database as Revocation Pending • PowerShell script queries the database for this flag – Contacts CA and revokes the certificate • Updates database 13 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  14. Uses • Application servers – Windows – Linux • Appliances 14 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  15. Application Servers • Windows – Install Yubikey minidriver • Different process for physical and virtual servers – Enable server for SmartCard Authentication – Group Policies • Username Hint • Enforce SmartCard 15 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  16. Application Servers • Clients for Windows Servers – Windows Remote Desktop – Microsoft Remote Desktop for OSX – rdesktop (OSX and Linux) • OSX – homebrew (https://brew.sh/) – brew install homebrew/x11/rdesktop --with-smartcard 16 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  17. Application Servers • Windows – If non-Windows RDP clients are in use • No valid certificates on the smart card error – Create scheduled task to start the Smart Card service based on an event • http://blogs.danosaab.com/2016/12/using-smart-card-with-remote-desktop-connection-on-mac-osx/ 17 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  18. Application Servers • Windows – Certificate subject must be added to the altSecurityIdentities attribute for the user in Active Directory • Default access limited to Domain Admins 1. Delegate access to the Service Desk personnel that issue the Yubikeys and have the issuing script update the attribute 2. Delegate access to a service account that monitors the database and updates the attribute 3. Monitor the database with a script and generate commands to be executed by the domain admins • Currently – option #3 is in use 18 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  19. Application Servers • Linux – Configure sshd • /etc/ssh/sshd_config – Disable Kerberos – Enable PubkeyAuthentication – Coordinate with Cyber Security • Compliance scanners… • Exception was requested and granted for our specific servers – User configuration • Extract public key from the certificate on the Yubikey – Add to .ssh/authorized_keys in the users home directory – Be sure to set permissions properly on the file • PuTTY Users – a version is available that supports SmartCards – PuTTY-CAC 19 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  20. Appliances • VPN – MultiFactor authentication • Citrix – Replace and extend the existing PIV usage 20 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  21. Remote locations • Deep Underground Neutrino Experiment (DUNE) – Lead, South Dakota • Provisioning – Videoconference assistance for issuing Yubikeys • Certificate on Yubikey will be on Hold in the CA so it can not be used – Remote user must contact the Service Desk once the Yubikey arrives to get the default PIN • Videoconference – Windows users will be able to reset PIN with Ctrl-Alt-Delete • OSX and Linux… 21 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  22. Remote locations • User assistance – PIN Reset – Locked Yubikey 22 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

  23. Monitoring • altSecurityIdentities attribute – Certificates can be added to any account allowing access • Quest Change Auditor – Alerts domain administrators whenever the attribute is modified • PowerShell script – Checks the certificate assigned against the username of the account • Notifies domain administrators of any discrepancies 23 5/31/2019 González/Lilianstrom | Implementing the Yubikey at Fermilab

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy mderoucy@linagora.com http:// dokuwiki. craoc.fr/ About myself (really quick I promise) Job Technical Account Manager OSSA Open Source

279 views • 17 slides
IMPLEMENTING THE CC-USB CONTROL MODULE FOR USE IN CAMAC CRATES AT THE FERMILAB TEST BEAM

IMPLEMENTING THE CC-USB CONTROL MODULE FOR USE IN CAMAC CRATES AT THE FERMILAB TEST BEAM

IMPLEMENTING THE CC-USB CONTROL MODULE FOR USE IN CAMAC CRATES AT THE FERMILAB TEST BEAM FACILITY B Y K A R E N L I P A , S I S T I N T E R N A U G 8 , 2 0 1 2 1 OUTLINE Background ound info Speci cific c use: : cosmic

441 views • 23 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

690 views • 42 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

471 views • 43 slides
The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th , 2012 Project-X: Evolution of the existing Fermilab accelerator complex with the revolution in Super-Conducting RF Technology. any

587 views • 32 slides
Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users

Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users

Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting CMS Physics from Early LHC Running Dan Green Fermilab For the CMS Collaboration FNAL Users Meeting June 2010 1 Outline Outline

617 views • 25 slides
Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

This document was prepared by Mu2e collaboration using the resources of the Fermi National FERMILAB-SLIDES-19-078-ND Accelerator Laboratory (Fermilab), a U.S. Department of Energy, Office of Science, HEP User Facility. Fermilab is managed by

878 views • 66 slides
A Beam-Based Production Target Monitor for the Mu2e Experiment at Fermilab APS DPF 2019

A Beam-Based Production Target Monitor for the Mu2e Experiment at Fermilab APS DPF 2019

This document was prepared by Mu2e collaboration using the resources of the Fermi National Accelerator Laboratory (Fermilab), a U.S. FERMILAB-SLIDES-19-084-CCD-OCIO Department of Energy, Office of Science, HEP User Facility. Fermilab is managed by

536 views • 29 slides
Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron

Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron

Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron Collider Physics Summer School August 20-31, 2018 Fermilab hcpss.fnal.gov/hcpss18 Jim Hirschauer and Estia Eichten 20 Aug 2018 Introductions

158 views • 13 slides
Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from

Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from

Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from James Kowalkowski, Adam Lyon, Alexandru Macridin, Gabriel Perdue and Panagiotis Spentzouris December 6, 2017 Background Fermilab and Fermilab

676 views • 38 slides
Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In

Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In

Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In Crystals and Nanostructures June 24-25, 2019 - Fermilab Past Experience at Fermilab Slow extraction (Tevatron Run I): 1990s R.Carrigan, et

429 views • 40 slides
Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS

Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS

Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS 2021 Fermilab PAC, July 20, 2019 Marcela Carena Fermilab Marcela Carena | Fermilab PAC 20.07.2019 European Particle Physics Strategy Update

216 views • 18 slides
Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of

Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of

Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of Fermilab theorists Focus core strengths in key research areas directly related to the Fermilab experimental program Conduct world-leading theoretical

961 views • 54 slides
The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @

The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @

The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @ Fermilab Chicago UniForum meetup.com Tuesday, October 28, 2014 What is Fermilab? What do we do here? Fermilab is America's particle physics and

716 views • 57 slides
T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document

T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document

T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document was prepared by [CDF and D0 Collaborations] using the resources of the Fermi National Accelerator Laboratory (Fermilab), a U.S. Department of Energy,

207 views • 19 slides
New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a.

New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a.

New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a. non-accelerator physics) Aaron S. Chou Wilson Fellow, FNAL 2010 Fermilab Users Mee(ng Energy

467 views • 27 slides
Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820

Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820

SPARS Training- NSSP and Zero Suicide Please Stand By Training Webinar will begin shortly For audio, please call 1-800-369-1820 Conference Number PMXW7155346 Audience Pass code 2352660 If you are experiencing technical difficulties, please

958 views • 67 slides
Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba What has been done in the last year? Samba 4.9 Password and membership change auditing LMDB back-end (semi-experimental)

1.06k views • 49 slides
Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018

Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018

Stakeholder Engagement in Real World Evidence in Oncology CAPT 2018 Conference October 22, 2018 10:45 a.m. 12:00 noon 1 Panelists Barry Stein Alexandra Chambers President & CEO Director pCODR Colorectal Cancer Canada CADTH

908 views • 76 slides
PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse

PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse

PAN 2010 Results Uncovering Plagiarism, Authorship, and Social Software Misuse Bauhaus-Universitt Weimar Martin Potthast, Benno Stein Andreas Eiselt, Teresa Holfeld Universidad Politcnica de Valencia Alberto Barrn-Cedeo, Paolo

538 views • 25 slides
Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview

Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview

Building Blocks for PRU Development Overview Embedded Processing Agenda PRU Hardware Overview PRU Firmware Development Linux Drivers Introduction PRU Hardware Overview Building Blocks for PRU Development ARM SoC Architecture ARM

555 views • 32 slides
Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO (

Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO (

Laudit des GPO Aurlien Bordes SSTIC 5 juin 2019 /49 Rappels et contexte Les GPO ( Group Policy Object ) : Sont apparues avec Windows 2000 et lActive Directory Permet dappliquer des paramtres de configuration Sont

830 views • 49 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
PROMISE ZONES Urban - 2014 Draft Second Round Application Guide April 29, 2014 Presenter

PROMISE ZONES Urban - 2014 Draft Second Round Application Guide April 29, 2014 Presenter

PROMISE ZONES Urban - 2014 Draft Second Round Application Guide April 29, 2014 Presenter Valerie Piper , Deputy Assistant Secretary for Economic Development, HUD Objectives of todays webinar: Provide an overview of the Promise

326 views • 11 slides

More recommend