14

My company has a few dozen servers hosted on a cloud provider. All but one (OpenVPN host) is closed to the internet. We're using OpenVPN AS which uses certs + Google Authenticator for login.

We are very interested in security and we want to minimize the potential damage in case of infiltration of one our employees' computers. To that end, we've mandated employees lock down their personal machines via Yubico-PAM.

I also want to use the Yubikeys for SSH access. Now, the Neo supports SSH/GPG keys via its JavaCard support. I like this option because it doesn't require significant modification of any of our existing servers, just their authorized_keys files.

I have also seen integration of Yubico-PAM via password (type password, touch yubikey). This is nice but we don't use passwords, we use keyfiles, and unless there was a compelling security reason to switch, I'd rather keep it that way.

The third option I've seen is AuthenticationMethods in the newest versions of sshd (more here). This properly allows you to use a keypair and the Yubikey. Upon login with a correct key, the user is prompted to press the button on their yubikey. Unfortunately it looks as though the server needs to ping Yubicloud.

In both cases I would likely build and query an LDAP server for Yubikey auth so we can easily revoke / add keys without having to ssh into every machine.

In my opinion, the first option is best (generate keys on the Yubikey Neo itself), as it requires the most minimal configuration of our servers, doesn't rely on the Yubicloud service to prevent replay, and wouldn't require an LDAP server.

Have any of you integrated Yubikeys (or other hardware tokens) into your administration flow? If so, which method did you choose, and why did you choose it?

STRML
  • 241
  • 1
  • 4

1 Answers1

2

Yubikey can either be cloud-based with Yubi providing the "yes/no" answer or you can run it locally. Run locally and benefit from the OTP.

Konrads
  • 589
  • 1
  • 5
  • 15