![Page 1: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/1.jpg)
NERSC Multi-Factor Authentication
Abe Singer2018-11-01
It's easy!
![Page 2: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/2.jpg)
2
MFA in Brief● MFA will be required starting with new allocation year
● MFA == Password + One Time Password (OTP)○ Protects your account against password theft/guessing
● No special hardware required, uses (free) phone/tablet app
● Configure with NIM in just a few minutes
● semi single sign-on (SSO) across NERSC○ sshproxy: SSO for ssh○ Shibboleth and NEWT: SSO for websites
● Supported across virtually all of NERSC○ Coming soon: myProxy, HPSS tokens, Jupyter, NX
![Page 3: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/3.jpg)
Using MFA
3
![Page 4: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/4.jpg)
4
Google Authenticator
OTP, changes every 30 seconds
Serial Number (identifier)Time remaining
![Page 5: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/5.jpg)
5
Using MFA: sshDOE6748468:~ abe$ ssh cori.nersc.gov ***************************************************************** * * * NOTICE TO USERS * * --------------- *
Password + OTP:
Last login: Wed Oct 31 21:02:26 2018 from 71.143.193.229----------------------------- Contact Information ----------------
NIM.password157712
abe@cori07:~>
![Page 6: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/6.jpg)
6
sshproxy
● Entering OTP every time isn't very friendly with scripts/workflows
● sshproxy○ Service developed by NERSC○ You use MFA to obtain an ssh key that expires after 24 hours
■ MFA once, run everywhere (at NERSC)■ Use sshproxy again when key expires
○ Leverages ssh certificates○ NERSC-supplied bash client script does all the work
![Page 7: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/7.jpg)
abe$ ssh -i ~/.ssh/nersc cori.nersc.gov ***************************************************************** * * * NOTICE TO USERS *
7
Using MFA: sshproxyabe$ sshproxy.shEnter your password+OTP: NIM.password157712
abe@cori07:~>
Successfully obtained ssh key /Users/abe/.ssh/nerscKey is valid: from 2018-11-01T04:36:00 to 2018-11-02T04:37:51
abe$ ls ~/.sshconfig id_rsa.pub nersc nersc.pubid_rsa known_hostsnersc-cert.pub
![Page 8: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/8.jpg)
8
Using MFA: ssh config (less typing)
Host cori cori.nersc.gov Hostname cori.nersc.gov IdentityFile ~/.ssh/nersc
~/.ssh/config
![Page 9: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/9.jpg)
9
Using MFA: Shibboleth
![Page 10: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/10.jpg)
10
![Page 11: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/11.jpg)
Enabling MFA
11
![Page 12: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/12.jpg)
12
Enabling MFA
![Page 13: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/13.jpg)
13
Enabling MFA (cont.)
![Page 14: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/14.jpg)
14
Creating a "token"
![Page 15: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/15.jpg)
15
Creating a token (cont.)
![Page 16: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/16.jpg)
16
Creating a token (cont).
![Page 17: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/17.jpg)
17
Creating a token (cont).
![Page 18: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/18.jpg)
18
Creating a token (cont).
![Page 19: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/19.jpg)
19
Creating a token (cont).
![Page 20: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/20.jpg)
20
Additional details
● sshproxy keys >24 hours with justification and authorization● Desktop app ("authy") for the smartphone-less● "Backup" OTP passwords for when you leave your mobile at home● Token "reset" for when you lose/replace your device(s)● Hardware token (yubikey) supported
○ You have to purchase (~$40) and configure○ Requires desktop software○ Kindle Fire is only slightly more ($50)
■ And you can play games on it too!● Exceptions to MFA available if necessary
○ Tell us why MFA can't work for you
![Page 21: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/21.jpg)
Any Questions?
21
● https://www.nersc.gov/users/connecting-to-nersc/mfa/○ Or google "NERSC MFA"
● Any questions?
![Page 22: NERSC Multi-Factor Authentication€¦ · 20 Additional details sshproxy keys >24 hours with justification and authorization Desktop app ("authy") for the smartphone-less "Backup"](https://reader034.vdocuments.us/reader034/viewer/2022042313/5ede55ffad6a402d6669a869/html5/thumbnails/22.jpg)
Thank You
22