We recently implemented two factor authentication for VPN access to our LAN. We use Yubikeys from Yubico to provide one time passwords (OTPs) which, when combined with the domain login and password, protect us from an array of attacks that password-only solutions can never solve.
You hang yubikeys on your keychain so you always have them with you and there are zero interoperability concerns (unlike smartphone solutions such as google’s authenticator). A yubikey requires no battery but draws its power from the USB port you plug it into. To your computer, it looks just like a keyboard, and pushing its green button will make it type 44 letters followed by <enter>, as if you typed it.
We wanted to use the standard windows VPN client built into windows 7, so we can connect from any computer running windows 7 without having to install custom software. In the most straightforward deployment, you append your Yubikey OTP to your normal domain password. But it turns out that the windows 7 VPN client supports a maximum of 48 characters for the password, after which it starts truncating from the start of the password. Since the yubikey OTPs have 44 characters, that supports only passwords up to 4 characters, which of course is far below the acceptable range of domain password strength.
The solution to the 48 character password limit in the windows 7 VPN client is to append the OTP to the user name, for which the VPN client does not have this limit. One gotcha with this solution, is that pushing the Yubikey button to generate the OTP will automatically hit <enter>, which tries to establish a connection to the VPN, so you must fill out user name and password before appending the OTP to the user name. Yubico has an article about how to work around VPN client limitations here.
To help make use of yubikeys for logging into corporate networks, Yubico gives you a virtual machine to set up a RADIUS server. This free virtual machine is based on a Debian linux release, on which YubiRADIUS runs, yubico’s FreeRADIUS implementation that integrates with their one-time password server. YubiRADIUS can strip the one time password from the yubikey from either the login or the password, and pass it on to a validation server which verifies that the one time password was generated by a certain yubikey and that the password is valid.
The RADIUS server can be configured to synchronize its users and passwords with Active Directory so it is pretty easy to point it at your domain’s AD server and get all your existing domain users supported in RADIUS. You can run your own validation server or you can use the ‘cloud’ one provided by Yubico; every yubikey issued by Yubico can be validated against the cloud one unless you reprogram your yubikeys.
The last step in configuring the RADIUS virtual machine is to declare which machines will be using its RADIUS services. Since it takes an IP with netmask, you can limit allowed clients to a single IP or an entire network. You also have to configure the server secret that clients must know in order to make use of the RADIUS service. In our case, the only client using the RADIUS service so far is our VPN firewall, which uses it for VPN authentication. Previously this VPN firewall was using the Active Directory server for VPN authentication, but simply changing it’s authentication mode to RADIUS and pointing it to the YubiRADIUS server introduced two factor authentication.
Yubikeys come with software that lets you reprogram these little keys to do a whole lot more than support one time passwords, but just for the two factor VPN authentication these have already proven to be well worth their price. Thanks Yubico for keeping the net safe!