Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. We have implemented a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.

In order to use Duo on the HPC systems you must enroll in the Duo service and register a device. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones and tablets (no phone number required and the app can be used internationally with or without Internet). The remainder of the documentation will refer to smartphones but information is also applicable to the Duo app on non-smartphone devices unless phone calls or SMS messages are involved. There is support for all, or most, types of smart phones and other mobile devices; see this page for more information. Please see the following page for setting up a smart phone for Duo:

UI Duo mobile setup

Follow the instructions on that page to get yourself enrolled and your device registered.

The Duo service is already setup. You only need to enroll in the service that we offer. Ignore any instructions from Duo that prompt you to set up a Duo service account.

There are several ways to use Duo codes if your phone is not connected to a Wifi network or Data service. If you do not have access to Wifi or data service you can generate a code with the app. That could be useful if you have a wired network connection for your laptop but no wireless or cellular for your phone. You can also send a set of 10 codes to your phone via SMS. Note that these codes are good until they are used and you only need to generate a new set when you have gone through all 10 of  a set. If something happens to your phone and you can not use Duo push or generate a key with the app, or even receive SMS codes, you can visit the following site to get a list of 10 codes that you can use:

https://apps.its.uiowa.edu/uip-tools/two-step/backup-codes/

While not as convenient that will allow you to get access to Duo enabled services if your Duo device is not working or not with you.

Registering with Duo for the HPC systems will enable Duo for all campus services that use Duo such as Employee Self-Service.

 

There is an ITS Duo support site that has all of the information that you will need for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the Duo support site

Once you are enrolled in Duo you are ready to use it on the HPC systems. Usage is fairly straight forward and is very similar to what you may be accustomed to with Web sites, such as the UIowa Employees Self Service site. All of the authentication methods are supported however, given that the HPC systems are shell systems, the duo-push method is very convenient for automation.

For normal ssh connections the following illustrates what you will see.

ssh neon.hpc.uiowa.edu
Password: 
Duo two-factor login for gpjohnsn

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-8727
2. Duo Push to My tablet (Android)
3. Phone call to XXX-XXX-8727
4. SMS passcodes to XXX-XXX-8727 (next code starts with: 1)

Passcode or option (1-4):

In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. Of course, there are some commands that do not present dialogs at the console. This would be things such as scp and No Machine. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request. However, it is also possible to send an authentication key as part of the command and that is particularly useful for those without a smartphone. Passing a key on the command line is probably easier than authenticating with a phone call. See the Advanced Setup section below for more information.

 Note that for transferring files it may be preferable to use CIFS rather than scp/sftp. See the following for more information:

Home Accounts

/wiki/spaces/hpcdocs/pages/76513488

If the pushed request, or the response to it, is delayed then No Machine connections may time out before they get established. One cause of delay could be that your phone is busy doing some other task, such as updating apps. Older phones may bog down and cause the Duo push response to get delayed due to not being able to effectively do more than one task at a time. If No Machine connections are not working then give FastX a try.

Finally, note that two-factor authentication only applies to logging into a login node of the HPC systems. Once on the system connections between nodes all use the cluster ssh keys as before.

Advanced setup

What follows is optional if you wish to reduce the interactivity just a bit. There are times when you do not want to have to interact with the console and you can specify a push to happen automatically to your primary device. To accomplish this you will need to use a generated key (preferably with a passphrase and ssh agent) and set the DUO_PASSCODE environment variable.

env DUO_PASSCODE=push ssh -o SendEnv=DUO_PASSCODE neon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Pushed a login request to your device...
Success. Logging you in...

In the above there is no interaction with the console but you still have to acknowledge the request on the device. It is also possible to send a pre-generated key. This key can either be generated from the app on the device or from the list sent via SMS.

env DUO_PASSCODE=482946 ssh -o SendEnv=DUO_PASSCODE neon.hpc.uiowa.edu
Reading $DUO_PASSCODE...
Success. Logging you in...

While the above still requires interaction to generate the code it may be more convenient to send a code first rather than acknowledge after the ssh command. This method is also useful for those who do not have a smartphone as sending a key as part of the command makes connecting the session a bit easier. This is particularly true for scp and sftp which do not present a dialog to enter the key.

It is also possible to put the above environment variables in configuration files. To tell ssh to pass the the DUO_PASSCODE variable put the following in your ~/.ssh/config file:

SendEnv DUO_PASSCODE

In your script startup file, such as ~/.bash_profile, put the following

export DUO_PASSCODE=push

 

  • No labels