Versions Compared

Old Version 34

changes.mady.by.user Genevieve Johnson

Saved on

compared with

New Version 35

changes.mady.by.user Genevieve Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Move advanced setup info into expandable sections

One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. We have implemented a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.

...

What follows is optional if you wish to reduce the interactivity just a bit. There are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.

Expand
titleMac/Linux


No Format
env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE argon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Pushed a login request to your device...
Success. Logging you in...

In the above there is no interaction with the console but you still have to acknowledge the request on the device. It is also possible to send a pre-generated key. This key can either be generated from the app on the device or from the list sent via SMS.

No Format
env DUO_PASSCODE=482946 ssh -o SendEnv=DUO_PASSCODE argon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Success. Logging you in...

Note that the above will work with SCP/SFTP as well if you are using a Mac or Linux, where you can set the DUO_PASSCODE environment variable. While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command. This method is also useful for those who do not have a smartphone as sending a key as part of the command makes connecting the session a bit easier. This is particularly true for scp and sftp which do not present a dialog to enter the key.

It is also possible to put the above environment variables in configuration files. To tell ssh to pass the the DUO_PASSCODE variable put the following in your ~/.ssh/config file:

SendEnv DUO_PASSCODE

In your script startup file, such as ~/.bash_profile, put the following

export DUO_PASSCODE=push



Expand

...

titleWindows

Windows systems are a little more difficult to set up automatic push from Duo. The description below uses Putty.


Image Modified


Go to the Data section of Connection and add the DUO_PASSCODE variable.


Image Modified


Click Add and your screen should look like the following.


Image Modified


Go back to the Session category, select Default Settings, or whichever session is associated with the HPC system, and press Save.


Image Modified


That will then have Duo send a push notification to your device whenever an ssh session is initiated. Note that you will need a smartphone or tablet for this to work.

How to unlock your Duo account

...