Yubikeys for two-factor VPN authentication on windows 7

yubikeyWe recently implemented two factor authentication for VPN access to our LAN. We use Yubikeys from Yubico to provide one time passwords (OTPs) which, when combined with the domain login and password, protect us from an array of attacks that password-only solutions can never solve.

You hang yubikeys on your keychain so you always have them with you and there are zero interoperability concerns (unlike smartphone solutions such as google’s authenticator). A yubikey requires no battery but draws its power from the USB port you plug it into. To your computer, it looks just like a keyboard, and pushing its green button will make it type 44 letters followed by <enter>, as if you typed it.

yubikey2We wanted to use the standard windows VPN client built into windows 7, so we can connect from any computer running windows 7 without having to install custom software. In the most straightforward deployment, you append your Yubikey OTP to your normal domain password. But it turns out that the windows 7 VPN client supports a maximum of 48 characters for the password, after which it starts truncating from the start of the password. Since the yubikey OTPs have 44 characters, that supports only passwords up to 4 characters, which of course is far below the acceptable range of domain password strength.

The solution to the 48 character password limit in the windows 7 VPN client is to append the OTP to the user name, for which the VPN client does not have this limit. One gotcha with this solution, is that pushing the Yubikey button to generate the OTP will automatically hit <enter>, which tries to establish a connection to the VPN, so you must fill out user name and password before appending the OTP to the user name. Yubico has an article about how to work around VPN client limitations here.

To help make use of yubikeys for logging into corporate networks, Yubico gives you a virtual machine to set up a RADIUS server. This free virtual machine is based on a Debian linux release, on which YubiRADIUS runs, yubico’s FreeRADIUS implementation that integrates with their one-time password server. YubiRADIUS can strip the one time password from the yubikey from either the login or the password, and pass it on to a validation server which verifies that the one time password was generated by a certain yubikey and that the password is valid.

Page 1 of 2 | Next page