[Clas12_software] Fwd: [Jlab-scicomp-briefs] Multi-Factor Authentication for Access to Scientific Computing Clusters

Tue Jan 10 17:12:38 EST 2023

FYI, in case you missed it ...

Begin forwarded message:

From: Bryan Hess via Jlab-scicomp-briefs <jlab-scicomp-briefs at jlab.org<mailto:jlab-scicomp-briefs at jlab.org>>
Subject: [Jlab-scicomp-briefs] Multi-Factor Authentication for Access to Scientific Computing Clusters
Date: January 9, 2023 at 10:08:17 AM EST
To: "jlab-scicomp-briefs at jlab.org<mailto:jlab-scicomp-briefs at jlab.org>" <jlab-scicomp-briefs at jlab.org<mailto:jlab-scicomp-briefs at jlab.org>>, "lqcd-users at jlab.org<mailto:lqcd-users at jlab.org>" <lqcd-users at jlab.org<mailto:lqcd-users at jlab.org>>
Reply-To: Bryan Hess <bhess at jlab.org<mailto:bhess at jlab.org>>

On March 21st, 2023, SSH access to the Farm and LQCD computing environment at JLab will require logins exclusively from multi-factor authentication (MFA) login gateways. This will apply to all ifarm and QCD interactive machines, both from off-site and from on-site. MFA gateways suitable for this purpose will include the existing hallgw.jlab.org<http://hallgw.jlab.org/> and acclogin.jlab.org<http://acclogin.jlab.org/>, and a new login gateway, scilogin.jlab.org<http://scilogin.jlab.org/>, established for this purpose. This is the same model that is used for access to the experimental halls through hallgw.jlab.org<http://hallgw.jlab.org/>. A typical interactive login will require an MFA login to one of the login gateways, followed by a standard (CUE password, orSSH key) login to the desired ifarm or qcdi host.

In preparation for this, anyone with ifarm or qcdi access will be issued MFA credentials in the coming weeks.  This will come in the form of an enrollment email to your JLab email address from 2factor at jlab.org<mailto:2factor at jlab.org>.  Supported clients include Google Authenticator, Microsoft Authenticator, MobilePass client, and YubiKey hardware tokens.

Once you have MFA credentials, you may begin to use scilogin.jlab.org<http://scilogin.jlab.org/> to confirm that you are prepared for the cutover in March. Be sure to test any SSH configuration you may have: ProxyJump, ControlMaster, or SSH port forwarding are examples that are sometimes used. Please review the ‘Common Questions and Answers’ below for some tips and tricks to streamline this process. If you have a scenario that you need configuration assistance with when using with the new login gateways, please contact helpdesk at jlab.org<mailto:helpdesk at jlab.org>.

If you have not accessed your JLab account for some time, please confirm that you have access and that it has not been retired. You can forward your JLab email to your preferred email account using this web page<https://cc.jlab.org/pfeditor/edit> (authentication required, use your JLab CUE account).  If you no longer need access to your JLab account, please contact helpdesk at jlab.org.<mailto:helpdesk at jlab.org>

Common Questions and Answers

Q: Will SSH key-based logins work after March 21st?
A: Although SSH keys to log in to interactive machines will continue to work, SSH logins originating outside the environment must jump through an MFA gateway, and MFA gateways will not support SSH key-based logins.

Q: Where can I find information about two-factor enrollment?
A: See the following Knowledge Base Articles

  *   SafeNet<https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911>
  *   Google or Microsoft Authenticator<https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313>

Q: How can I avoid typing MFA onetime passwords repeatedly? How can I use MFA once to create multiple windows on interactive machines?
A: There are several tools for this that help to avoid needless password entry.
1. tmux – tmux is available on many Linux and BSD systems and allows you to create multiple Unix shells in a single window, and to disconnect/reconnect to them.  It can be used on your local machine to keep sessions open (assuming a stable network connection) as well as on remote JLab systems to work with multiple sessions after connecting just once.  An introduction is available here:https://tmuxcheatsheet.com/quick-start/
2. SSH single sign-on (SSO) using ProxyJump and ControlMaster – using SSH configuration options, it is possible to create an SSOenvironment between your remote desktop machine and the interactive login nodes. The Knowledge Base article titled “(Open)SSH configuration for Farm and QCD clusters<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918>” outlines the needed components.

Q: How can I use SCP or SFTP with this new configuration?
A: This can be done using the same ProxyJump and ControlMaster configuration<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918> shown above.

Q: What authenticators are supported?
Software authenticators including Microsoft Authenticator, Google Authenticator, and MobilePass app for iPhone or Android are supported.Hardware YubiKey tokens issued by the helpdesk are also supported.

Q: Is this the same MFA password as j<http://jupyterhub.jlab.org/>upyterhub<http://jupyterhub.jlab.org/>.jlab.org<http://jupyterhub.jlab.org/>?
It is not. The JupyterHub implementation uses a separate MFA instance, creating a separate token. These may be merged in a future revision, but currently is not the case.

Q: Is SSH outbound from the ifarm or qcdi going to be blocked as part of this work?
A: No, outbound SSH will not be blocked. The firewall changes are being made to inbound SSH from JLab or the Internet, which must pass through an MFA gateway.

--

This is an announcement-only list for Jefferson Lab Scientific Computing Updates .

Subscription and List Archive: https://mailman.jlab.org/mailman/listinfo/jlab-scicomp-briefs

For help: https://jlab.servicenowservices.com/scicomp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/clas12_software/attachments/20230110/82ba223d/attachment-0001.html>