One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. We have implemented a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.
...
Finally, note that two-factor authentication only applies to logging into a login node of the HPC system. Once on the system, connections between nodes all use the normal cluster ssh authentication mechanisms, as before.
| Anchor | ||||
|---|---|---|---|---|
|
What follows is optional if you wish to reduce the interactivity just a bit. There are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.
Mac/Linux
| No Format |
|---|
env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE argon.hpc.uiowa.edu Reading $DUO_PASSCODE... Pushed a login request to your device... Success. Logging you in... |
...
In your script startup file, such as ~/.bash_profile, put the following
export DUO_PASSCODE=push
Windows
Windows systems are a little more difficult to set up automatic push from Duo. The description below uses Putty.
...
That will then have Duo send a push notification to your device whenever an ssh session is initiated. Note that you will need a smartphone or tablet for this to work.
How to unlock your Duo account
You will be unable to access the HPC system if your Duo account is locked. You can become locked out of Duo if you enter an invalid (or used) passcode too many times, or if you let multiple Duo mobile push notifications expire in the app without approving or denying them.
If this happens, you will need to unlock your Duo account before you can access the HPC system. Information about how to unlock your Duo account is available at https://its.uiowa.edu/support/article/102557.
Once your Duo account is unlocked, you should be able to login to login to the HPC system. If you do not have your mobile phone or other primary device with you, other options for logging in with Duo are to use a backup code or enroll another device (such as an office phone).