Tech Blog >

How to Configure YubiKey with Trout Access Gate

How to Configure YubiKey with Trout Access Gate

Trout Access Gate brings robust, DMZ-style protection to the industrial edge — and when paired with a YubiKey, it enables strong, hardware-based authentication for both people and machines. This guide walks you through the setup process step-by-step, whether you're using Linux, macOS, or Windows.

📖 Estimated Reading Time: 3 minutes

Content

Step 1: Prepare Your YubiKey

Step 2: Register Your YubiKey with Trout Access Gate

Step 3: Apply an Authentication Policy

Step 4: Test the Authentication Flow

🛠️ Troubleshooting

Step 1: Prepare Your YubiKey

Depending on how you intend to use the YubiKey, choose one of the following setups:

🔐 Option A: FIDO2 (For user login via web or CLI)

  1. Insert your YubiKey.

  2. Open YubiKey Manager:

    • GUI: Go to Applications > FIDO2

    • CLI: ykman fido access set-pin

  3. Set or confirm your FIDO2 PIN.

  4. (Optional) Register a resident credential to support passwordless login.

🪪 Option B: PIV (For secure identity with client certs)

  1. Switch to Applications > PIV.

  2. Generate or import an authentication certificate:

    • GUI: "Configure Certificates"

    • CLI: ykman piv keys generate and ykman piv certificates generate

  3. Set or confirm the Management Key and PIN.

  4. Export the certificate for registration with Trout Access Gate.

⚠️ On Linux: You may need to install pcscd and restart it:

Step 2: Register Your YubiKey with Trout Access Gate

Now link your YubiKey to your Trout Access account.

📋 Option 1: Via Trout Web UI

  1. Login to the Trout Access Gate dashboard.

  2. Go to Access Control > Users.

  3. Select the user account.

  4. Click Add Auth Method → YubiKey (FIDO2 or PIV).

  5. Insert and tap your YubiKey when prompted.

⚙️ Option 2: Via Trout CLI

On your local terminal:

Follow the interactive prompt to complete registration using your YubiKey.
CLI Notes:
  • macOS/Linux: Works seamlessly with ykman and USB-C/USB-A adapters
  • Windows: Run PowerShell as Administrator if needed
Step 3: Apply an Authentication Policy
  1. In the Trout UI, go to Policies > Authentication.
  2. Create or modify a policy, e.g. Plant Admins.
  3. Set Authentication Method to Require YubiKey.
  4. Assign this policy to a user group, site, or network zone.
You can enforce YubiKey as a mandatory factor, or use it in combination with other identity or device-based rules.
Step 4: Test the Authentication Flow
👩‍💻 For Human Users
  • Go to your Trout Access Gate login screen.
  • Choose Sign in with YubiKey.
  • Insert and tap your key when prompted.
  • You should land in your dashboard with logs confirming hardware-based auth.
🤖 For Machine-to-Machine Communication
  • Trigger a system action (e.g. SFTP pull, MQTT publish).
  • The access gate checks the YubiKey-based credential from the device.
  • Logs should show something like:
    [access_gate]
🛠️ Troubleshooting
IssueSolutionYubiKey not detectedTry another port or update ykmanTouch prompt not appearingEnsure pcscd is running (Linux), or rebootPIN lockedReset via YubiKey Manager (note: this wipes credentials)Trout login failsConfirm user account is correctly linked to YubiKey
Autres articles de blog de Trout
Where the Packets Roam: Why OT Security Needs Unity, Not a Patchwork
Ivanti Avalanche : Multiple Vulnerabilities Could Allow Authentication Bypass