Using A Yubikey

Overview

What is a YubiKey

The YubiKey is a small hardware authentication token that looks like a USB memory stick, but is actually a small keyboard. It plugs into a your USB port and enables you to obtain a Kerberos ticket.

Discussing a common concern - Its NOT a USB drive

The YubiKey is NOT a USB drive. It is a small keyboard that provides a secure login code, similar to your Common Access Card (CAC).

Image of a YubiKey

What should I know about my YubiKey?

An YubiKey provides the same functionality as a Common Access Card (CAC). Your YubiKey requires the following to work correctly:

What are my responsiblities with a YubiKey?

You have very few responsibilities while in possession of a YubiKey. You must abide by the terms you agreed to when you signed the paperwork required by the Accounts Center.

In addition to that, you should periodically validate your version of Kerberos, uninstall the previous version, and re-install the current version if your version is behind. This will ensure that you always have the most up-to-date software and will not encounter any problems while you are working.

When you return the YubiKey, include the YubiKey and your user name, as well as an explanation. Something simple is fine; we just need to know if you plan on using your account again in the future. Contact the CCAC at 1-877-222-2039, or make a request via e-mail or the user portal for return information.

Activating & setting up your YubiKey

Overview

When you receive the packet containing your YubiKey, you must sign and return the form labeled "Section III: Authentication Packet / User Accounts Protection Agreement." It can be returned via fax to 937-656-9538.Once this form has been returned, your YubiKey is registered and activated. You may use your YubiKey once you have installed the Kerberos software.

To use the YubiKey, download and install the Kerberos software available at https://www.hpcmo.hpc.mil/security/kerberos/ under the left side menu item, "Software."

Windows setup

Insert your YubiKey into the USB port. A green indicator light will appear in the round, finger pad. The YubiKey should be recognized as a Human Interface Device, and your computer should automatically install the built-in drivers. The software for this item is already a part of the Operating System.

Mac OS X setup

Insert your YubiKey into the USB port. A green indicator light will appear in the round, finger pad. A dialogue box will come up. Close the dialogue box, and your YubiKey should install as a default ANSI keyboard.

*nix systems (i.e. Unix) setup

Insert your YubiKey into the USB port. A green indicator light will appear in the round, finger pad. The system should automatically detect your YubiKey. If you have any problems using your YubiKey, please contact CCAC at 1-877-222-2039.

Using your YubiKey to authenticate

Overview

The following will help you make sure your YubiKey works correctly:

  • Make sure there is a solid green light showing in the middle of the round, finger contact when the YubiKey is plugged into the USB port.
  • The CAPS LOCK needs to be off before attempting to use the YubiKey.
  • The finger contact should be touched with a bare finger. Anything blocking that connection will cause the YubiKey to not recognize your finger. Please be aware that some lotions may cause a barrier between your finger and the finger contact.

Using the YubiKey to authenticate with Windows

  1. Place your YubiKey in the USB port with the button and contact facing up.
  2. Open the HPCMP Kerberos software (krb5.exe).
  3. Enter your username in the "Name" field and your Realm in the "Realm" field. Most users are realmed "HPCMP.HPC.MIL".
  4. Whether you enter your password into the "Password" field or wait to be prompted for it after pressing the "Login" button, you will eventually be prompted for a "SAM Authentication - Challenge for Security Dynamics mechanism". This field may also be labeled "SecurID Passcode" or "Passcode".
  5. Place your cursor in the Passcode field and press the button on your YubiKey.

Screenshot of the Passcode dialog showing Passcode field and ok button highlighted

Assuming your user and and Realm were entered correctly, you will receive a green ticket showing that you have authenticated with your YubiKey.

The picture below shows an authenticated session. Please be aware that your realm may be different.

Screenshot of kinit screen showing an authenticated session.

You will now be able use FileZilla to transfer files or use Putty to login to a High Performance Computer (HPC). If you encounter any problems, please contact the CCAC at 1-877-222-2039 for additional assistance.

Using your YubiKey to authenticate with Linux/Unix/Mac

  1. Insure that Kerberos is installed on your system (available at https://www.hpcmo.hpc.mil/security/kerberos/).
  2. Place your YubiKey into a USB port with the button facing up.
  3. Open a terminal window and run "kinit username@REALM". You should receive a prompt for a passcode.

    Your session will look similar to this:

    % kinit username@HPCMP.HPC.MIL
    Password for username@HPCMP.HPC.MIL:
    SAM Authentication
    Challenge from authentication server
    YubiKey Passcode:
  4. Push the button on the YubiKey.
  5. The passcode should be automatically entered where it is requested.

At this point, you should receive a Kerberos ticket. If you encounter any problems, please contact the CCAC at 1-877-222-2039 for additional assistance.

Using your YubiKey to authenticate with a remote system

A benefit of the YubiKey is the ability to use a remote system. The process is very similar to using your YubiKey on a Linux, Unix, Mac, etc.

  1. Place your YubiKey into a USB port with the button facing up.
  2. Open a terminal window and run "kinit username@REALM". You should receive a prompt for a passcode.
  3. Push the button on the YubiKey.
  4. The passcode should be automatically entered where it is requested.

At this point, you should receive a Kerberos ticket. If you encounter any problems, please contact the CCAC at 1-877-222-2039 for additional assistance.

Troubleshooting

Overview

You should make sure the following is done before you call CCAC. This may prevent time lost during your day.

If you require further assistance please review our Contact Information.

My computer doesn't recognize my YubiKey.

Please make sure your YubiKey is plugged in with the button facing up and is seated properly.

The button doesn't click or make any noise when I press it.

The touch button has no moving parts and is activated by touch. The button cannot be activated if there is an insulating device between the button and the finger. You cannot press the button with a pen, a gloved hand, etc. This even extends to hands with lotion on. If you have recently put lotion on, please wash your hands and attempt to use your YubiKey again.

The indicator light doesn’t light up.

  1. Verify that your YubiKey is plugged in with the button facing up and is seated properly.
  2. Verify that your USB port is working correctly by plugging in another USB device.
  3. Verify the hub has power if you are using an external hub.

The indicator light just flashes shortly then goes out.

The YubiKey most likely entered power down. This is normal behavior and you should make sure your YubiKey is plugged in with the button facing up and is seated properly.

The indicator light just flashes rapidly.

  1. Verify that the YubiKey is plugged in with the button facing up and is seated properly.
  2. Verify that another USB device works in the same port.
  3. Verify that there is not a computer policy/setting that prevents attachment of external devices.

The indicator light flashes every two seconds.

The YubiKey has not been properly configured and is unable to create an authorization key. Contact CCAC at 1-877-222-2037 or via email for a replacement.

Nothing happens when I press the trigger button.

  1. Verify that the YubiKey is plugged in with the button facing up and is seated properly.
  2. Hold the button for about .5 seconds.
  3. Verify that you are touching the button with a naked finger. The button will not work if you are pressing the button with a pen, a bandaged finger, a glove, etc. You may also want to wash your hands to verify that you don't have something (like lotion) preventing a good connection.
  4. Verify that the YubiKey works on another computer.

The light goes out when the trigger button is pressed, but nothing appears on the screen.

  1. Verify that the YubiKey is seated appropriately.
  2. Verify that the cursor is placed in a valid input field.
  3. Verify that the YubiKey is properly seated in the USB port.

I keep getting an error message that says "kinit(v5): Preauthentication failed while getting initial credentials".

  1. Verify that your CAPS LOCK is not engaged.
  2. If your CAPS LOCK is engaged, close your text editor.
  3. Disengage your CAPS LOCK.
  4. Re-open your text editor and attempt to obtain another ticket.

Contact Information

CCAC is the first point of contact for all of your questions.

CCAC is available Monday thru Friday, 0800-2300 EST.

phone: 1-877-222-2039
e-mail: help@ccac.hpc.mil
on-line: http://centers.hpc.mil

Tickets can always be created and Knowledge Management articles can be searched at https://help.ccac.hpc.mil