One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. We have implemented a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.
...
| Info |
|---|
Registering with Duo for the HPC systems system will enable Duo for all campus services that use Duo such as Employee Self-Service. |
...
Once you are enrolled in Duo you are ready to use it on the HPC systemssystem. Usage is fairly straight forward and is very similar to what you may be accustomed to with Web sites, such as the UIowa Employees Self Service site. All of the authentication methods of Duo are supported, however, given that the HPC systems are shell systems, the duo-push method is very convenient for automation.
For normal ssh connections the following illustrates what you will see.
| Panel |
|---|
ssh neonargon.hpc.uiowa.edu Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-8727 Passcode or option (1-4): |
In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. Of course, there are some commands that do not present dialogs dialog prompts at the console. This would be things such as scp and FastX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request. However, it is also possible to send an authentication key as part of the command and that is particularly useful for those without a smartphone. Passing a key on the command line is probably easier than authenticating with a phone call. See the Advanced Setup section below for more information.
...
Finally, note that two-factor authentication only applies to logging into a login node of the HPC systemssystem. Once on the system, connections between nodes all use the normal cluster ssh keys authentication mechanisms, as before.
| Anchor | ||||
|---|---|---|---|---|
|
...
| No Format |
|---|
env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE neonargon.hpc.uiowa.edu Reading $DUO_PASSCODE... Pushed a login request to your device... Success. Logging you in... |
...
| No Format |
|---|
env DUO_PASSCODE=482946 ssh -o SendEnv=DUO_PASSCODE neonargon.hpc.uiowa.edu Reading $DUO_PASSCODE... Success. Logging you in... |
Note that the above will work with SCP/SFTP as well if you are using a Mac or Linux, where you can set the DUO_PASSCODE environment variable. While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command. This method is also useful for those who do not have a smartphone as sending a key as part of the command makes connecting the session a bit easier. This is particularly true for scp and sftp which do not present a dialog to enter the key.
...
In your script startup file, such as ~/.bash_profile, put the following
export DUO_PASSCODE=push
Windows
Windows systems are a little more difficult to set up automatic push from Duo. The description below uses Putty.
...