Versions Compared

Old Version 14

changes.mady.by.user glenn-johnson

Saved on

compared with

New Version 15

changes.mady.by.user glenn-johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. Of course, there are some commands that do not present dialogs at the console. This would be things such as scp and NX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request.

Info

If the pushed request, or the response to it, is delayed then NX connections may time out before they get established.

Finally, note that two-factor authentication only applies to logging into a login node of the HPC systems. Once on the system connections between nodes all use the cluster ssh keys as before.

Advanced setup

What follows is optional if you wish to reduce the interactivity just a bit. There are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.

...

In your script startup file, such as ~/.bash_profile, put the following

export DUO_PASSCODE=push

Of course, there are some commands that do not present dialogs at the console. This would be things such as scp and NX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request.

Info

If the pushed request, or the response to it, is delayed then NX connections may time out before they get established.

Finally, note that two-factor authentication only applies to logging into a login node of the HPC systems. Once on the system connections between nodes all use the cluster ssh keys as before.