[Jlab-scicomp-briefs] REMINDER: Multi-Factor Authentication for Access to Scientific Computing Clusters

Bryan Hess bhess at jlab.org
Thu Feb 16 09:50:02 EST 2023 

REMINDER: Multi-Factor Authentication for Access to Scientific Computing Clusters



On March 21st, 2023, SSH access to the Farm and LQCD computing environment at JLab will require logins exclusively from multi-factor authentication (MFA) login gateways.


This will apply to all ifarm and QCD interactive machines, both from off-site and from on-site. MFA gateways suitable for this purpose will include the existing hallgw.jlab.org and acclogin.jlab.org, and a new login gateway, scilogin.jlab.org, established for this purpose.


This is the same model that is used for access to the experimental halls through hallgw.jlab.org. A typical interactive login will require an MFA login to one of the login gateways, followed by a standard (CUE password, or SSH key) login to the desired ifarm or qcdi host.


In preparation for this, anyone with ifarm or qcdi access will be issued MFA credentials in the coming weeks.  This will come in the form of an enrollment email to your JLab email address from 2factor at jlab.org.  Supported clients include Google Authenticator, Microsoft Authenticator, MobilePass client, and YubiKey hardware tokens.

Once you have MFA credentials, you may begin to use scilogin.jlab.org to confirm that you are prepared for the cutover in March. Be sure to test any SSH configuration you may have: ProxyJump, ControlMaster, or SSH port forwarding are examples that are sometimes used.


Please review the ‘Common Questions and Answers’ below for some tips and tricks to streamline this process. If you have a scenario that you need configuration assistance with when using with the new login gateways, please contact helpdesk at jlab.org.


If you have not accessed your JLab account for some time, please confirm that you have access and that it has not been retired. You can forward your JLab email to your preferred email account using this web page https://cc.jlab.org/pfeditor/edit (authentication required, use your JLab CUE account).  If you no longer need access to your JLab account, please contact helpdesk at jlab.org.



Please note the correct PIN length requirement for enrollment is 6-8 digits (highlighted in yellow below). We apologize for the conflicting information in the text above the PIN field.



[image]



Common Questions and Answers



Q: Where can I find information about the two-factor enrollment process?

A: See the following Knowledge Base Articles

  *   Google or Microsoft Authenticator<https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313>: https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0012313

  *   SafeNet<https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911> https://jlab.servicenowservices.com/sp?id=kb_article_view&sysparm_article=KB0011911





Q: Will SSH key-based logins work after March 21st?

A: Although SSH keys to log in to interactive machines will continue to work, SSH logins originating outside the environment must jump through an MFA gateway, and MFA gateways will not support SSH key-based logins.





Q: How can I avoid typing MFA onetime passwords repeatedly? How can I use MFA once to create multiple windows on interactive machines?

A: There are several tools for this that help to avoid needless password entry.

1. tmux – tmux is available on many Linux and BSD systems and allows you to create multiple Unix shells in a single window, and to disconnect/reconnect to them.  It can be used on your local machine to keep sessions open (assuming a stable network connection) as well as on remote JLab systems to work with multiple sessions after connecting just once.  An introduction is available here: https://tmuxcheatsheet.com/quick-start/

2. SSH single sign-on (SSO) using ProxyJump and ControlMaster – using SSH configuration options, it is possible to create an SSO environment between your remote desktop machine and the interactive login nodes. The Knowledge Base article titled “(Open)SSH configuration for Farm and QCD clusters” outlines the needed components.

https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918



Q: How can I use SCP or SFTP with this new configuration?

A: This can be done using the same ProxyJump and ControlMaster configuration shown above, and outlined in https://jlab.servicenowservices.com/kb?id=kb_article_view&sysparm_article=KB0014918 .



Q: What authenticators are supported?

Software authenticators including Microsoft Authenticator, Google Authenticator, and MobilePass app for iPhone or Android are supported. Hardware YubiKey tokens issued by the helpdesk are also supported.



Q: Is this the same MFA password as jupyterhub.jlab.org?

It is not. The JupyterHub implementation uses a separate MFA instance, creating a separate token. These may be merged in a future revision, but currently is not the case.



Q: Is SSH outbound from the ifarm or qcdi going to be blocked as part of this work?

A: No, outbound SSH will not be blocked. The firewall changes are to inbound SSH from JLab or the Internet, which must pass through an MFA gateway.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/jlab-scicomp-briefs/attachments/20230216/e46dbef5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 28279 bytes
Desc: image.png
URL: <https://mailman.jlab.org/pipermail/jlab-scicomp-briefs/attachments/20230216/e46dbef5/attachment-0001.png>

More information about the Jlab-scicomp-briefs mailing list