[Ace] Two-factor Email take two

[Anthony Cuffe]

I am still updating the documentation and trying to migrate it to cebaf.jlab.org for external access but I wanted to get something out.  Below is a re-write with you comments addressed.  Please re-comment if you feel something needs to be addressed.  Thanks.


=========================================
Accelerator Users,

Starting November 12th 2014, access to Accelerator computers (opsl00, devl00, etc..) and other Accelerator subnets from the general Jlab/CNI networks and from your home will require two-factor authentication.  This is a cyber-security requirement imposed not only on the Accelerator environment but also on other enclaves such as the Halls.

Two-factor authentication requires you to have a so-called crypto-token, i.e. a small physical device or a smart phone application that generates a temporary password for you. The temporary password, combined with a PIN you know, allows you to log into our gateway computer acclogin.jlab.org, from which you can directly access the accelerator networks.

This change only affects incoming connections to the accelerator controls networks (e.g. office/home -> opsll). If you are already using one of the Accelerator systems you do not need the token to connect to other accelerator computers or to destinations outside of the Accelerator networks (e.g. opsll -> office). In other words, within the Accelerator Computing Environment everything will work exactly as before.  Here are some use cases to make this more clear:

Two-factor will be required if you are:
---------------------------------------
- At home trying to access Accelerator systems.
- Accessing Accelerator systems via Exceed from a Windows PC.
- Using NXclient to access Accelerator systems from home or your office.

The Following will no longer work:
----------------------------------
- ssh'ing from login.jlab.org to any Accelerator system.
(You must now use acclogin.jlab.org from home).

- Using putty directly to any Accelerator system.
(You must now create an ssh tunnel through acclogin.jlab.org).

- Connecting directly to the NX server.
(You must now create an ssh tunnel through acclogin.jlab.org).


If you need to access Accelerator systems remotely and do not already have a crypto-token, please file an ACE-PR and select "ACE- CryptoCard" and request a CrytoCard token.  Please indicate whether you would prefer to have a smart phone app or a hardware key for this function.  It might take several days to fulfill these requests, so plan ahead.  If you choose a hardware key, you will need to pick up the crypto-key in person from one of the Accelerator computing group staff.  If you choose the smart phone app, your phone needs to be on the Jlab (or guest) wireless for the initial registration to work.  If you already have a token but it no longer works, please file an ACE-PR for it to be reset.

ACE-PR:
-------
https://mis.jlab.org/mis/ccpr/ccpr_user/ccpr_new_user_request-ACE.cfm?ACE-PR&nbsp%253BNew&nbsp%253BRequest

Alternately, if the help desk is more convenient for your location you can file a CCPR with the same request.

CCPR:
-----
https://misportal.jlab.org/mis/apps/ccpr/ccpr_user/ccpr_new_user_request.cfm


If you would like to read more about crypto-cards, the smart phone app or would like to see the updated procedures for access Accelerator systems, please visit our remote access page.

How to Access Accelerator Systems Remotely:
-------------------------------------------
https://devweb.acc.jlab.org/twiki/bin/view/UserSupport/HowToRemoteAccess

Please note that this documentation will soon be available for reference off-site via cebaf.jlab.org.

Thank you,

Anthony Cuffe
Accelerator Computing Group

=================================================



-- 
+-------------------------+
| Anthony Cuffe           |
| voice  : 757 269-6213   |
| e-mail : cuffe at jlab.org |
+-------------------------+