[Halld-offline] Fwd: [Jlab-scicomp-briefs] REMINDER: Multi-Factor Authentication for Access to Scientific Computing Clusters

Alexander Austregesilo aaustreg at jlab.org
Thu Feb 16 10:06:47 EST 2023 

FYI


-------- Forwarded Message --------
Subject: 	[Jlab-scicomp-briefs] REMINDER: Multi-Factor Authentication 
for Access to Scientific Computing Clustrs
Date: 	Thu, 16 Feb 2023 14:50:02 +0000
From: 	Bryan Hess via Jlab-scicomp-briefs <jlab-scicomp-briefs at jlab.org>
Reply-To: 	Bryan Hess <bhess at jlab.org>
To: 	jlab-scicomp-briefs at jlab.org <jlab-scicomp-briefs at jlab.org>, 
lqcd-users at jlab.org <lqcd-users at jlab.org>



REMINDER: Multi-Factor Authentication for Access to Scientific 
Computing Clusters

On March 21st, 2023, SSH access to theFarm and LQCD computing 
environment at JLab will require logins exclusively from multi-factor 
authentication (MFA) login gateways.


This will apply to all ifarm and QCD interactive machines, both from 
off-site and from on-site. MFA gateways suitable for this purpose will 
include the existing hallgw.jlab.org and acclogin.jlab.org, and a new 
login gateway, scilogin.jlab.org, established for this purpose.


This is the same model that is used for access to the experimental halls 
through hallgw.jlab.org. A typical interactive login will require an MFA 
login to one of the login gateways, followed by a standard (CUE 
password, or SSH key) login to the desired ifarm or qcdi host.


In preparation for this, anyone with ifarm or qcdi access will be issued 
MFA credentials in the coming weeks. This will come in the form of an 
enrollment email to your JLabemail addressfrom 
2factor at jlab.org. Supported clients include Google Authenticator, 
Microsoft Authenticator, MobilePass client, and YubiKey hardware tokens.

Once you have MFA credentials, you may begin to use scilogin.jlab.org to 
confirm that you are prepared for the cutover in March. Be sure to test 
any SSH configuration you may have: ProxyJump, ControlMaster, or SSH 
port forwarding are examples that are sometimes used.


Please review the ‘Common Questions and Answers’ below for some tips and 
tricks to streamline this process. If you have a scenario that you need 
configuration assistance with when using with the new login gateways, 
please contact helpdesk at jlab.org.


If you have not accessed your JLab account for some time, please confirm 
that you have access and that it has not been retired. You can forward 
your JLab email to your preferred email account using this web page 
https://cc.jlab.org/pfeditor/edit (authentication required, use your 
JLab CUE account). If you no longer need access to your JLab account, 
please contact helpdesk at jlab.org.

Please note the correct PIN length requirement for enrollment is 6-8 
digits (highlighted in yellow below). We apologize for the conflicting 
information in the text above the PIN field.

image

Common Questions and Answers

Q: Where can I find information about the two-factor enrollment process?

A: See the following Knowledge Base Articles

  *

    Google or Microsoft Authenticator
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313>:
    https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313>

  *

    SafeNet
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911>https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911>

Q: Will SSH key-based logins work after March 21st?

A: Although SSH keys to log in to interactive machines will continue to 
work, SSH logins originating outside the environment must jump through 
an MFA gateway, and MFA gateways will not support SSH key-based logins.

Q: How can I avoid typing MFA onetime passwords repeatedly? How can I 
use MFA once to create multiple windows on interactive machines?

A:There are several tools for this that help to avoid needless password 
entry.

1. tmux – tmux is available on many Linuxand BSD systems and allows you 
to create multiple Unix shells in a single window, and to 
disconnect/reconnect to them.  It can be used on your local machine to 
keep sessions open (assuming a stable network connection) as well as on 
remote JLab systems to workwith multiple sessions after connecting just 
once. An introduction is available here: 
https://tmuxcheatsheet.com/quick-start/ 
<https://tmuxcheatsheet.com/quick-start/>

2.SSH singlesign-on (SSO) using ProxyJumpand ControlMaster– using SSH 
configuration options, it is possible to create an SSO 
environment between your remote desktop machine and the interactive 
login nodes. The Knowledge Base article titled “(Open)SSH configuration 
for Farm and QCD clusters” outlines the needed components.

https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918 
<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918>

Q: How can I use SCP or SFTP with this new configuration?

A: This can be done using the same ProxyJumpand 
ControlMaster configuration shown above, and outlined in 
https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918 
<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918>.

Q: What authenticators are supported?

Software authenticators including Microsoft Authenticator, Google 
Authenticator, and MobilePass app for iPhone or Android are supported. 
HardwareYubiKey tokens issued by the helpdesk are also supported.

Q: Is this the same MFA password as jupyterhub.jlab.org?

It is not. The JupyterHub implementation uses a separate MFA instance, 
creating a separate token. These may be merged ina future revision, but 
currently is not the case.

Q: Is SSH outbound from the ifarm or qcdi going to be blocked as part of 
this work?

A: No, outbound SSH will not be blocked. The firewall changes are to 
inboundSSH from JLab or the Internet, which must pass through an MFA 
gateway.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20230216/043e91b6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 28279 bytes
Desc: not available
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20230216/043e91b6/attachment-0001.png>
-------------- next part --------------
--

This is an announcement-only list for Jefferson Lab Scientific Computing Updates .

Subscription and List Archive: https://mailman.jlab.org/mailman/listinfo/jlab-scicomp-briefs

For help: https://jlab.servicenowservices.com/scicomp

More information about the Halld-offline mailing list