Two-Factor Authentication on SuperMUC-NG
1. Status
Two-Factor Authentication is enabled on SuperMUC-NG!
2. Overview
In view of increasing security risks, we are forced to strengthen the security measures. In order to improve the security of our HPC systems, we have changed the authentication procedure on all login nodes to two-factor authentication (2FA) as of July 11, 2023. The previously used login procedure via single-factor authentication was disabled on September 18, 2023. From then on, for all users SuperMUC-NG is only accessible with 2FA.
NOTE
The introduction of two-factor authentication will have impact on the procedure of accessing SuperMUC-NG. Automatic (data transfer) workflows between your local computer and the login node may no longer work! We strongly recommend to test all workflows quickly! Please Contact Us and report issues.
3. Problems? Questions? Contact Us Here!
If you have any questions or problems regarding 2FA on SuperMUC-NG login nodes, we kindly ask you to...
- Check the FAQ section for possible solutions.
- Contact us via Servicedesk. After login to the Selfservice portal, just choose "Incident: I have login problems" from the drop-down list and continue.
4. Step-by-Step Instruction of 2FA Configuration
A "token" is a piece of hardware or software that serves as a second factor in authentication. Tokens for 2-factor authentication must first be registered on the SIM-MFA server at LRZ before they can be used for authentication on a LRZ service prepared for this purpose. The conventional login method uses ssh login with password or public-key authentication. 2FA will not replace that method. Rather, it will ask you for a second factor on top of the conventional login credentials.
Please note! According to our policy, the use of a second device (e. g. your mobile device, a Yubikey or a TAN list) for provision of the second factor is mandatory!
In order to use 2FA on SuperMUC-NG, you need to configure it in advance! That procedure comprises two steps:
- Registration of the token(s) at LRZ SIM-MFA portal,
- Configuration on your local device.
4.1. Supported 2FA methods on SuperMUC-NG
4.2. Configuration of 2FA Method
Regardless of the 2FA method chosen, you have to register/login in the SIM-MFA web portal in order to create and configure 2FA tokens! Click here to do so.
Please login to the SIM-MFA portal with exactly the same user ID (account) that you will need to access SuperMUC-NG, i. e. the user ID with SuperMUC-NG permission!
Click on one of the icons to proceed with the configuration of the 2FA token of your choice in SIM-MFA portal as well as on your local device.
Please carefully read the instructions and recommendations!
5. Login to SuperMUC-NG
STEP 1 Login to SuperMUC-NG from your local computer. You may use SSH password authentication or SSH public-key authentication. All login rules via Secure Shell on LRZ HPC Systems still apply. However, public-key authentication needs to be adjusted by adding the port 2222 to the ssh command! Login via password authentication $ ssh userID@skx.supermuc.lrz.de Password: MFA: Explanation <-- Enter ssh command! <-- Enter the password of your account here! <-- Enter second factor here (TOTP, PUSH, YubiKey, TAN)! PUSH: Don't forget <ENTER> in order to receive push notification! Login via public-key authentication $ ssh -p 2222 userID@skx.supermuc.lrz.de MFA: Explanation <-- Enter ssh command! <-- Enter second factor here (TOTP, PUSH, YubiKey, TAN)! PUSH: Don't forget <ENTER> in order to receive push notification! NOTE For public-key authentication, you do not need to create new keys. You can use the keys, you used without 2FA. | ||
STEP 2 Start the authenticator app on your mobile device. STEP 3 Enter the One-Time Password, displayed by the authenticator app, in the terminal. NOTE Timing is important! Please do not enter an OTP which is no longer valid! | STEP 2 Start the authenticator app on your mobile device. STEP 3 Accept the push message. NOTE If no push message appears, just press <ENTER> once in the ssh-2FA prompt and check the push message again. | STEP 2 Connect the YubiKey to your computer and touch the button. The login procedure completes. |
After logging in, you are in your HOME directory and can work on SuperMUC-NG as usual. |