On our linux machines, secure shell (openssh) is configured to only allow designated jump or bastion servers to log in. Access to the jump servers is controlled by duo.
One user, who does not have a supported Android or iOS phone, wants to use a Yubikey. I can see that his key was registered but it doesn’t seem to work. Is there some something I need to do to enable it?
I am using duo_unix v 1.12.0 on Oracle Linux 8
I have never set up duo for a Yubikey before so I’m kind of lost.
With Duo Unix you can use a YubiKey to generate an OTP for login.
You, as the Duo admin, would import the YubiKey into Duo and then assign the YubiKey token to that user.
This is distinct from the user registering a YubiKey as a WebAuthn security key in the browser-based Duo prompt.
Not all YubiKeys support OTP generation. YubiKey 5 series keys do, but if the YubiKey is a WebAuth/FIDO2 only device it can’t be used with Duo Unix.
Here’s more information about using YubiKeys with Duo: Configuring YubiKeys for OTP use with Duo | Duo Security
It’s making a little more sense now. The user registered his Yubikey as a WebAuthn device. If I understand the documentation, WebAuthn is for authentication from within a browser and is not appropriate for secure shell. Please correct me if I am wrong.
That is exactly right.
If the YubiKey model supports both WebAuthn and OTP then you can import it as hardware key for OTP use with Duo Unix while he continues to use it as a WebAuthn key in the browser prompt too.
If they YubiKey model is a FIDO2-only model, then it can’t also be used as an OTP token for Duo Unix.
ETA I think there is a feature request for WebAuthn support in Duo Unix. If this interests you please contact your Duo account exec or customer success manager if you have one, or contact Duo Support, and they can note your interest in this potential enhancement.
A couple of more questions if you do not mind:
If we move up to a paid tier will users be able to register their own tokens?
What would be the cost for Duo tokens? I know we’d have to buy at least ten.
No, OTP token import is the same in all Duo plans.
I think they are $20/ea in the US; you can verify this from the billing area of your Admin Panel. You are right, you have to buy 10 minimum. Also be aware that we will not provide you with the token seed info (if you wanted to use the tokens with another service as well). If you want to have control over your seed info you need to purchase your own third-party OTP tokens and then import them.
I’ve read about OpenSSH supporting FIDO2 at Securing SSH with FIDO2 (haven’t tried it myself).
-Phil