Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. In the near future we will be implementing a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.

We are currently kicking off a pilot of two factor authentication. If all goes well in the pilot then all HPC users will be required to authenticate with two factor authentication. More information will be coming shortly. If you would like to participate in the pilot please send a note to HPC-Sysadmins

There is an ITS Duo support site that has all of the information that you will need to get enrolled for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the Duo support site. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones. There is support for all, or most, types of smart phones; see this page for more information.

Once you are enrolled in Duo you are ready to use it on the HPC systems. Usage is fairly straight forward and is very similar to what you may be accustomed to with Web sites, such as the UIowa Employees Self Service site. All of the authentication methods are supported however, given that the HPC systems are shell systems, the duo-push method is very convenient for automation.

For normal ssh connections the following illustrates what you will see.

ssh neon.hpc.uiowa.edu
Password: 
Duo two-factor login for gpjohnsn

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-8727
2. Duo Push to My tablet (Android)
3. Phone call to XXX-XXX-8727
4. SMS passcodes to XXX-XXX-8727 (next code starts with: 1)

Passcode or option (1-4):

In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. However, there are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.

env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE neon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Pushed a login request to your device...
Success. Logging you in...

In the above there is no interaction with the console but you still have to acknowledge the request on the device. It is also possible to send a pre-generated key. This key can either be generated from the app on the device or from the list sent via SMS.

env DUO_PASSCODE=482946 ssh -o SendEnv=DUO_PASSCODE neon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Success. Logging you in...

While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command.

Of course, there are some commands that do not present dialogs at the console. This would be things such as scp and NX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request.

If the pushed request, or the response to it, is delayed then NX connections may time out before they get established.

  • No labels