| Table of Contents |
|---|
...
In order to use Duo on the HPC systems you must enroll in the Duo service and register a device. If you are an external collaborator, you will not be able to enroll in Duo until after you are granted access to the HPC systems. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones and tablets (no phone number required and the app can be used internationally with or without Internet). The remainder of the documentation will refer to smartphones but information is also applicable to the Duo app on tablet devices unless phone calls or SMS messages are involved. There is support for all, or most, types of smartphones and other mobile devices; see this page for more information. Please see the following page for setting up a smart phone for Duo:
...
| Info |
|---|
Registering with Duo for the HPC system will enable Duo for all campus services that use Duo such as Employee Self-Service. |
...
There is an ITS Two-Step Login with Duo Security | Information Technology Services page that has all of the information that you will need for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the above page.
...
In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. Of course, there are some commands that do not present dialog prompts at the console. This would be things such as scp and FastX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request. However, it is also possible to send an authentication key as part of the command and that is particularly useful for those without a smartphone. Passing a key on the command line is probably easier than authenticating with a phone call. See the Advanced Setup section below for more information.Note that for transferring files it may be preferable to use CIFS rather than scp/sftp. See the following for more information:
/wiki/spaces/hpcdocs/pages/76513488
Finally, note that two-factor authentication only applies to logging into a login node of the HPC system. Once on the system, connections between nodes all use the normal cluster ssh authentication mechanisms, as before.
...
What follows is optional if you wish to reduce the interactivity just a bit. There are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.
...
...
| title | Mac/Linux |
|---|
| No Format |
|---|
env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE argon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Pushed a login request to your device...
Success. Logging you in... |
In the above there is no interaction with the console but you still have to acknowledge the request on the device. It is also possible to send a pre-generated key. This key can either be generated from the app on the device or from the list sent via SMS.
| No Format |
|---|
env DUO_PASSCODE=482946 ssh -o SendEnv=DUO_PASSCODE argon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Success. Logging you in... |
Note that the above will work with SCP/SFTP as well if you are using a Mac or Linux, where you can set the DUO_PASSCODE environment variable. While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command. This method is also useful for those who do not have a smartphone as sending a key as part of the command makes connecting the session a bit easier. This is particularly true for scp and sftp which do not present a dialog to enter the key.
It is also possible to put the above environment variables in configuration files. To tell ssh to pass the the DUO_PASSCODE variable put the following in your ~/.ssh/config file:
SendEnv DUO_PASSCODE
In your script startup file, such as ~/.bash_profile, put the following
export DUO_PASSCODE=push
...
| title | Windows |
|---|
Windows systems are a little more difficult to set up automatic push from Duo. The description below uses Putty.
Go to the Data section of Connection and add the DUO_PASSCODE variable.
Click Add and your screen should look like the following.
Go back to the Session category, select Default Settings, or whichever session is associated with the HPC system, and press Save.
That will then have Duo send a push notification to your device whenever an ssh session is initiated. Note that you will need a smartphone or tablet for this to work.
How to unlock your Duo account
...
If this happens, you will need to unlock your Duo account before you can access the HPC system. Information about how to unlock your Duo account is available at https://its.uiowa.edu/support/article/102557102357.
Once After your Duo account is unlocked, you should be able to login to login to the HPC system. If you do not have your mobile phone or other primary device with you, other options for logging in with Duo are to use a backup code or enroll another device (such as an office phone).
...