Versions Compared

Old Version 11

changes.mady.by.user glenn-johnson

Saved on

compared with

New Version 12

changes.mady.by.user glenn-johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

We are currently kicking off a pilot of two factor authentication. If all goes well in the pilot then all HPC users will be required to authenticate with two factor authentication. More information will be coming shortly. If you would like to participate in the pilot please send a note to HPC-Sysadmins. If you are part of the pilot please provide feedback and problem reports.

There is an ITS Duo support site that has all of the information that you will need to get enrolled for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the Duo support siteIn order to use Duo on the HPC systems you must enroll in the Duo service and register a device. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones. There is support for all, or most, types of smart phones; see this page for more information.see this page for more information. Please see the following page for setting up a smart phone for Duo: UI Duo mobile setup. Follow the instructions on that page to get yourself enrolled and your device registered.

Note

The Duo service is already setup. You only need to enroll in the service that we offer. Ignore any instructions from Duo that prompt you to set up a Duo service account.

Info

Registering with Duo for the HPC systems will enable Duo for all campus services that use Duo such as Employee Self-Service.

 

There is an ITS Duo support site that has all of the information that you will need for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the Duo support site

Once you are enrolled in Duo you are ready to use it on the HPC systems. Usage is fairly straight forward and is very similar to what you may be accustomed to with Web sites, such as the UIowa Employees Self Service site. All of the authentication methods are supported however, given that the HPC systems are shell systems, the duo-push method is very convenient for automation.

...

While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command.

It is also possible to put the above environment variables in configuration files. To tell ssh to pass the the DUO_PASSCODE variable put the following in your ~/.ssh/config file:

SendEnv DUO_PASSCODE

In your script startup file, such as ~/.bash_profile, put the following

export DUO_PASSCODE=push

Of course, there are some commands that do not present dialogs at the console. This would be things such as scp and NX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request.

...