Enhance your Network Security with Zero Trust and OTP
I have recently bought my new Yubikey, and for those of you who known me, I'm doing lots of work on Zero Trust lately; so after my new Yubikey arrived I decided to use it in order to gain access to my current protected assets.
In this entry, we'll see the integration between CloudZiti (keep in mind you can use OpenZiti instead and get the same results, it's just I do rather prefer not having a single open port) and a YubiKey.
As you problably know at this time, OpenZiti is an open-source implementation of the Ziti platform, actually CloudZiti has been built on top of it, providing secure and scalable network access to applications, services and identities.
I don't think you need to know what a YubiKey is, just rememver that basically it's an authentication device that supports multiple protocols, including One-Time Password (OTP) for enhanced security. My idea is combining both technologies and improve the security and reliability of my network infrastructure (internal and external).
Enough theory, let get started. In this post we will discuss two different integrations (they could be integrated if you want or need, totally up to you) between CloudZiti and our Yubikey; this post is using the Yubikey 5 NFC.
Before getting started let's start with our ingredients:
- The Yubico Authenticator.
- The Yubikey Manager.
- The Yubico Priv Tool, you can also compile it yourself.
- The OpenSC binary to interact with the Yubikey at command line.
Option 1 - Integration with Yubico Authenticator.
This is the easiest path, as it basically requires to install the Authenticator. Yubico Authenticator is an application developed by Yubico that works in conjunction with YubiKey hardware devices to provide two-factor authentication (2FA) or multi-factor authentication (MFA), it enables users to generate Time-based One-Time Passwords (TOTP) or HMAC-based One-Time Passwords (HOTP) using their YubiKey as a secure storage for the secret keys.
In order to make it work with the CloudZiti/OpenZiti Client you just need to:
- Enable the MFA into your Identity, if you're using the Windows ZTE.
- Click on Show Secret on the Show Secret Link
- After the code is displayed, copy it.
- Open The Yubico Authenticator and click on the Yubikey configuration icon.
- Click on Add Account.
- Fill with the information required. You can enable Require Touch if that's your desire. After that, click on save.
- The new account should appear in your YubicoAuthenticator. Click on it (or directly copy the code).
- If you clicked in the new account, then a new panel appears, where you can copy the code using the icon.
- Paste that code into your CloudZiti Client windows and click on Authenticate.
- Save your recovery codes (as you normally do for any MFA account you're using).
- The identity must be authenticated and MFA enabled.
Option 2 - Associate the Ziti Identity into the Yubikey directly.
- Login into your CloudZiti console, Click on Endpoints and Click on the "Plus" icon to create a new EndPoint.
- Add the details of your Endpoint that will be used to the Yubikey.
- Download the JWT and save it as we'll need it for later.
REM The name for the configuration
SET HSM_NAME=yubikey_NF_NataS
REM The Path to the root of the yubikey piv tool (Wherever you installed it).
SET HSM_ROOT="C:\Program Files\Yubico\Yubico PIV Tool"
REM The Path to the pkcs11 library
SET PATH=%PATH%;%HSM_ROOT%\bin
SET PKCS11_MODULE=%HSM_ROOT%\bin\libykcs11.dll
REM The Path to pkcs11 OpenSC library (Wherever you installed it).
SET OPENSC_MODULE="C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
REM The id of the key. As my Yubikey is Empty I'll use the ID1.
SET HSM_ID1=01
REM You can use RSA based or EC Based signatures. I'll use the EC ones
SET RSA_ID=%HSM_NAME%%HSM_ID1%_rsa
SET EC_ID=%HSM_NAME%%HSM_ID2%_ec
REM The pins used when accessing the pkcs11 API. (If you have your Yubikey factory reset these are the PINs, otherwise use yours)
SET HSM_SOPIN=010203040506070801020304050607080102030405060708
SET HSM_PIN=123456
SET HSM_DEST=%HSM_ROOT%\%HSM_NAME%
SET HSM_LABEL=%HSM_NAME%-labelx`
SET HSM_TOKENS_DIR=%HSM_DEST%\tokens\
REM Make an alias for the pkcs11-tool to use the Yubikey module.
doskey p="C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" --module "%PKCS11_MODULE%" $*
REM We're located in the same directory where ziti-tunnel.exe and the Yubikey identity generated on the previous steps has been dowload.
REM We're initiating a new Token in our Yubikey.
p --module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" --init-token --label "ziti-natas-token" --so-pin %HSM_SOPIN%
REM With the token initialized we're going to create a Key that will be used and linked to our Ziti Identity
p -k --key-type EC:prime256v1 --usage-sign --usage-decrypt --login --id %HSM_ID1% --login-type so --so-pin %HSM_SOPIN% --label defaultkey
REM using the ziti-tunnel we're going to enroll our identity and linked it to the Yubikey EC key we just created.
.\ziti-tunnel.exe enroll -j ".\%JWT_DOWNLOADED%" -k "pkcs11://%OPENSC_MODULE%?id=%HSM_ID1%&pin=%HSM_PIN%" -v
REM finally using the proxy we start the tunnel. And see How we can access our services.
.\ziti-tunnel.exe proxy -i %JSON_ENROLLED% %My_First_Service%:%MAPPED_PORT%
Happy Hacking!
Comments
Post a Comment