Describes a procedure to share AuthLite keys (yubikeys) between two domains or standalone machines, and the security implications of this configuration.
Overview
Within a domain, a user can use their AuthLite keys easily across any system, because the authentication is performed by Active Directory. But between two domains or standalone (non-domain) machines, even if you have the same "username and password" on each system, using the same AuthLite key requires extra effort.
There are two main concepts to understand before proceeding:
- AuthLite cannot automatically send authentication data between two domains or standalone systems, the way it can within a single domain between domain controllers and domain-joined systems. This means in order to share one key, you will have to manually copy that key's record to each domain or system.
- By default, whenever you integrate an account to an AuthLite key, the old program on that key (if any) in ERASED. Therefore when you set up the same key across several domains or systems, you must be careful to only program the key ONCE, on the first system. Then, follow the special procedure described below on each additional domain or system. The AuthLite software will warn you if you attempt to overwrite a key's program. Please heed these warnings and make sure you understand what you are doing.
Security Considerations
Part of the security of AuthLite is provided by the one-time nature of the AuthLite keys. Pressing a key generates a one-time password (OTP) and that value need not be held secret because use of the same value in the future would be rejected by the system as a replay. However, when you share one key across several independent authorities as we will show here, the security of the system is weakened in the following manner.
Consider standalone SystemA and SystemB which both honor the same AuthLite key. If you log on to SystemA with an OTP and your password, then SystemA will know this OTP value should be considered a replay in the future. However SystemB has no knowledge that this value was used on SystemA. Therefore, an eavesdropper on your logon session to SystemA could take this OTP value and use it on SystemB without being rejected. If your plain text passwords are ALSO the same on each machine, then the attacker now has sufficient information to completely impersonate you on SystemB.
This issue can be partially mitigated by making sure you use different plain text passwords on each standalone system. But even with this precaution, the total security of the system is lower when the same key is shared across several authorities in this fashion. (It's still far more secure than using a password alone however).
Prerequisites
- This procedure requires AuthLite version 1.2.25 or greater.
- Before starting, thoroughly read Appendix A in the AuthLite administrator's manual and prepare each user account to be recovered in the event of lost access. Beware, even if you are using the same username and password on each domain or system, they are separate accounts and must each be recovered separately. A windows recovery disk/file will only work for the user and computer on which it was created.
Procedures
Summary
Note: Whether you are sharing a key across two domains, or two standalone machines, we will call them "SystemA" and "SystemB". On a domain, the AuthLite Data Manager is only visible from a domain controller. But you can perform the logon and password changes on a workstation (since normal domain users are not allowed to logon to DCs)
Here is an overview of the procedures we will perform. More detailed steps are shown below.
- Integrate a UserA on SystemA with Key1
- Export the data for Key1 and change the XML file to remove the Domain and Username
- Import the modified data file to SystemB
- Set up UserB to use Key1 through the change password screen
- Add a spare Key2 to UserA (on SystemA)
- Export the data for Key2 and change the XML to reflect SystemB and UserB
- Import the modified data file to SystemB
In the end, this will yield two keys that can each be used on either domain/machine, for logging in as the appropriate user on that domain/machine.
Details: Integrating UserA and sharing the first key
- On SystemA, log on with UserA. If UserA is already using an AuthLite key, go to step 6.
- Plug in a blank AuthLite key, which we will call Key1
- From the Ctrl-Alt-Delete security screen, go to Change Password
- Enter your old and new passwords (or retype the same password if you don't want to change it), and select to set up a new AuthLite key.
- Confirm your account is now integrated with AuthLite by logging out and logging in using Key1 and the password you set for UserA.
- As an administrator, open the AuthLite Data Manager on SystemA
- Select the key record for UserA, and export it using the File->Export option
- Open the XML file you just saved in Notepad or other text editor.
- Delete the lines containing the "Username" and "Domain" tags and values. We need to clear these out so that when we import the key it will not be associated to any user.
- Save the XML, and bring the modified file to SystemB
- As an administrator, open the AuthLite Data Manager on SystemB
- From File->Import, import the modified XML file from SystemA
- You should see a new key record with the domain and username stating they are "not set"
- Log on to SystemB with UserB. This must not be an AuthLite user already. If it is, unintegrate it back to password-only before proceeding.
- From the Ctrl-Alt-Delete security screen, go to Change Password
- EXTREMELY IMPORTANT! Instead of leaving the username in the first field, REPLACE this value by tapping Key1 into this field. The checkbox on the screen should change to say "Use AuthLite with this account". We are doing this to tell the system you already have an existing key and don't want to program a new one.
- Enter your old and new passwords (or retype the same password if you don't want to change it), and select the "Use AuthLite" checkbox
- If you receive a warning about reprogramming the key, STOP! Go back two steps and read it again!
- The system will find the unassociated key record and connect it to UserB with the password you have entered.
- Confirm your account is now integrated to AuthLite by logging out and in using Key1 and the password you set for UserB.
Details: Adding a second key and sharing it
- On SystemA, log on with UserA using Key1 and UserA's password.
- Open AuthLite Configuration and Select "My Integrated Keys".
- Tap Key1 into the first field "Current AuthLite Key".
- Enter UserA's password in the next field.
- Unplug Key1
- Plug in blank Key2
- Press the "Program" button
- Verify you can log in to SystemA with Key2 and the password for UserA
- As an administrator, open the AuthLite Data Manager on SystemA
- Tap Key2 into the "Find OTP" search box on the top left of the tool.
- Select the key record found, and export it using File->Export
- Open the XML file you just saved in Notepad or other text editor.
- Change the contents of the "Domain" tag from the name of SystemA to the name of SystemB.
- Change the contents of the "Username" tag from the name of UserA to the name of UserB.
- Save the XML and bring the modified file to SystemB.
- As an administrator, open the AuthLite Data Manager on SystemB.
- Import the modified XML file from SystemA.
- Verify that UserB now has two key records. You can tap Key2 into the "Find OTP" field and make sure it finds a key record.
- Confirm that Key2 is shared properly by logging in to SystemB with Key2 and the password for UserB.
Additional domains/machines
You can use the files modified from SystemA, and perform the "SystemB" steps on other domains/machines to share the same keys with those as well.