[Halld-offline] Multi-Factor Authentication for Access to Scientific Computing Clusters

Alexander Austregesilo aaustreg at jlab.org
Mon Jan 9 17:05:40 EST 2023 

FYI



-------- Forwarded Message --------
Subject: 	[Jlab-scicomp-briefs] Multi-Factor Authentication for Access 
to Scientific Computing Clusters
Date: 	Mon, 9 Jan 2023 15:08:17 +0000
From: 	Bryan Hess via Jlab-scicomp-briefs <jlab-scicomp-briefs at jlab.org>
Reply-To: 	Bryan Hess <bhess at jlab.org>
To: 	jlab-scicomp-briefs at jlab.org <jlab-scicomp-briefs at jlab.org>, 
lqcd-users at jlab.org <lqcd-users at jlab.org>



On March 21st, 2023, SSH access to theFarm and LQCD computing 
environment at JLab will require logins exclusively from multi-factor 
authentication (MFA) login gateways.This will apply to all ifarm and QCD 
interactive machines, both from off-site and from on-site. MFA gateways 
suitable for this purpose will include the existing hallgw.jlab.org and 
acclogin.jlab.org, and a new login gateway, 
scilogin.jlab.org, established for this purpose.This is the same model 
that is used for access to the experimental halls through 
hallgw.jlab.org. A typical interactive login will require an MFA login 
to one of the login gateways, followed by a standard (CUE password, or 
SSH key) login to the desired ifarm or qcdi host.

In preparation for this, anyone with ifarm or qcdi access will be issued 
MFA credentials in the coming weeks. This will come in the form of an 
enrollment email to your JLabemail addressfrom 
2factor at jlab.org. Supported clients include Google Authenticator, 
Microsoft Authenticator, MobilePass client, and YubiKey hardware tokens.

Once you have MFA credentials, you may begin to use scilogin.jlab.org to 
confirm that you are prepared for the cutover in March. Be sure to test 
any SSH configuration you may have: ProxyJump, ControlMaster, or SSH 
port forwarding are examples that are sometimes used.Please review the 
‘Common Questions and Answers’ below for some tips and tricks to 
streamline this process. If you have a scenario that you need 
configuration assistance with when using with the new login gateways, 
please contact helpdesk at jlab.org <mailto:helpdesk at jlab.org>.

If you have not accessed your JLab account for some time, please confirm 
that you have access and that it has not been retired. You can forward 
your JLab email to your preferred email account using this web page 
<https://cc.jlab.org/pfeditor/edit> (authentication required, use your 
JLab CUE account). If you no longer need access to your JLab account, 
please contact helpdesk at jlab.org. <mailto:helpdesk at jlab.org>



*Common Questions and Answers*
*
*
*Q: Will SSH key-based logins work after March 21st?*
A:Although SSH keys to login to interactive machines will continue to 
work,SSH loginsoriginating outside the environment must jump through an 
MFA gateway, and MFA gateways will not support SSH key-based logins.

*Q: Where can I find information about two-factor enrollment?*
A: See the following Knowledge Base Articles

  * SafeNet
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911>
  * Google or Microsoft Authenticator
    <https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313>

*Q: How can I avoid typing MFA onetime passwords repeatedly? How can I 
use MFA once to create multiple windows on interactive machines?*
A:There are several tools for this that help to avoid needless password 
entry.
1. tmux – tmux is available on many Linuxand BSD systems and allows you 
to create multiple Unix shells in a single window, and to 
disconnect/reconnect to them.  It can be used on your local machine to 
keep sessions open (assuming a stable network connection) as well as on 
remote JLab systems to workwith multiple sessions after connecting just 
once. An introduction is available here: 
https://tmuxcheatsheet.com/quick-start/ 
<https://tmuxcheatsheet.com/quick-start/>
2.SSH singlesign-on (SSO) using ProxyJumpand ControlMaster– using SSH 
configuration options, it is possible to create an SSO 
environment between your remote desktop machine and the interactive 
login nodes. The Knowledge Base article titled “(Open)SSH configuration 
for Farm and QCD clusters 
<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918>” 
outlines the needed components.

*Q: How can I use SCP or SFTP with this new configuration?*
A: This can be done using the same ProxyJump and 
ControlMaster configuration 
<https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918>shown 
above.

*Q: What authenticators are supported? *
Software authenticators including Microsoft Authenticator, Google 
Authenticator, and MobilePass app for iPhone or Android are supported. 
HardwareYubiKey tokens issued by the helpdesk are also supported.

*Q: Is this the same MFA password as jupyterhub.jlab.org?*
It is not. The JupyterHub implementation uses a separate MFA instance, 
creating a separate token. These may be merged ina future revision, but 
currently is not the case.

*Q: Is SSH outbound from the ifarm or qcdi going to be blocked as part 
of this work?*
A: No, outbound SSH will not be blocked. The firewall changes are being 
made to inboundSSH from JLab or the Internet, which must pass through an 
MFA gateway.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20230109/5563991b/attachment-0001.html>
-------------- next part --------------
--

This is an announcement-only list for Jefferson Lab Scientific Computing Updates .

Subscription and List Archive: https://mailman.jlab.org/mailman/listinfo/jlab-scicomp-briefs

For help: https://jlab.servicenowservices.com/scicomp

More information about the Halld-offline mailing list