Two-Factor Authentication on SuperMUC-NG

Page Content

1. Status

Two-Factor Authentication is enabled on SuperMUC-NG!

2. Overview

In view of increasing security risks, we are forced to strengthen the security measures. In order to improve the security of our HPC systems, we have changed the authentication procedure on all login nodes to two-factor authentication (2FA) as of July 11, 2023. The previously used login procedure via single-factor authentication was disabled on September 18, 2023. From then on, for all users SuperMUC-NG is only accessible with 2FA.

NOTE

The introduction of two-factor authentication will have impact on the procedure of accessing SuperMUC-NG. Automatic (data transfer) workflows between your local computer and the login node may no longer work! We strongly recommend to test all workflows quickly! Please Contact Us and report issues.

3. Problems? Questions? Contact Us Here!

If you have any questions or problems regarding 2FA on SuperMUC-NG login nodes, we kindly ask you to...

  • Check the FAQ section for possible solutions.
  • Contact us via Servicedesk. After login to the Selfservice portal, just choose "Incident: I have login problems" from the drop-down list and continue.










4. Step-by-Step Instruction of 2FA Configuration

A "token" is a piece of hardware or software that serves as a second factor in authentication. Tokens for 2-factor authentication must first be registered on the SIM-MFA server at LRZ before they can be used for authentication on a LRZ service prepared for this purpose. The conventional login method uses ssh login with password or public-key authentication. 2FA will not replace that method. Rather, it will ask you for a second factor on top of the conventional login credentials. 

Please note! According to our policy, the use of a second device (e. g. your mobile device, a Yubikey or a TAN list) for provision of the second factor is mandatory!

In order to use 2FA on SuperMUC-NG, you need to configure it in advance! That procedure comprises two steps:

  1. Registration of the token(s) at LRZ SIM-MFA portal,
  2. Configuration on your local device.

4.1. Supported 2FA methods on SuperMUC-NG

Numerous authentication methods are available. You may choose any token available in the SIM-MFA portal. However, please consider that we only offer support concerning configuration and usage for the following list of tokens!

Please note! We recommend to create multiple tokens, e.g. a token for regular login procedures and a recovery token as fallback solution!

Recommended

Tokens

for

Login

Procedures

TOTP token: An authenticator app on your mobile device continuously generates new Time-based One Time Passwords, which can be used as a second factor at ssh login to SuperMUC-NG.

Hardware token YubiKey: This is an individually configured USB-Key for each user. When asked by the ssh login, touching this hardware token will provide the second factor. The login procedure completes.
This method requires the purchase of the hardware token YubiKey as well as some more advanced configuration steps.

Please note! LRZ does not provide YubiKeys! We recommend to use that method if you cannot meet the requirements of TOTP or PUSH method, such as missing mobile device.

Recommended

Recovery

Token

TAN list: This is a list of tokens printed on a sheet of paper. You may use this list as recovery token.

Typical use case: You are generally using TOTP or PUSH but have lost this software token. In this case, you would no longer be able to log into the SIM-MFA web portal to generate a new token. As backup, you may login using an OTP from the TAN list.

Additional

Token

(limited support)

PUSH token: Your ssh login to the SuperMUC-NG triggers a notification sent to your mobile device. By accepting the notification the second factor will be sent back to the LRZ server and the login procedure completes automatically.

Due to dependency on third-party software (notification service), we provide limited support for this token!

4.2. Configuration of 2FA Method

  1. Regardless of the 2FA method chosen, you have to register/login in the SIM-MFA web portal in order to create and configure 2FA tokens! Click here to do so.

    Please login to the SIM-MFA portal with exactly the same user ID (account) that you will need to access SuperMUC-NG, i. e. the user ID with SuperMUC-NG permission!

  2. Click on one of the icons to proceed with the configuration of the 2FA token of your choice in SIM-MFA portal as well as on your local device.

    Please carefully read the instructions and recommendations!



5. Login to SuperMUC-NG

STEP 1 Login to SuperMUC-NG from your local computer. You may use SSH password authentication or SSH public-key authentication. All login rules via Secure Shell on LRZ HPC Systems still apply. However, public-key authentication needs to be adjusted by adding the port 2222 to the ssh command!

Login via password authentication
$ ssh userID@skx.supermuc.lrz.de
Password:
MFA:
Explanation
<-- Enter ssh command!
<-- Enter the password of your account here!
<-- Enter second factor here (TOTP, PUSH, YubiKey, TAN)! PUSH: Don't forget <ENTER> in order to receive push notification!
Login via public-key authentication
$ ssh -p 2222 userID@skx.supermuc.lrz.de
MFA:
Explanation
<-- Enter ssh command!
<-- Enter second factor here (TOTP, PUSH, YubiKey, TAN)! PUSH: Don't forget <ENTER> in order to receive push notification!

NOTE

For public-key authentication, you do not need to create new keys. You can use the keys, you used without 2FA.

STEP 2 Start the authenticator app on your mobile device.

STEP 3 Enter the One-Time Password, displayed by the authenticator app, in the terminal.

NOTE

Timing is important! Please do not enter an OTP which is no longer valid!

STEP 2 Start the authenticator app on your mobile device.

STEP 3 Accept the push message.

NOTE

If no push message appears, just press <ENTER> once in the ssh-2FA prompt and check the push message again.

STEP 2 Connect the YubiKey to your computer and touch the button. The login procedure completes.

After logging in, you are in your HOME directory and can work on SuperMUC-NG as usual.

6. Token Recovery Procedure

Problem Description

Once you have generated a token in the SIM-MFA web portal, you may only log in to the SIM-MFA portal with 2FA. Single-factor authentication is then no longer possible!

Typical use case: After loss of the token, e. g. by removing the authenticator app on your mobile device or losing the mobile device, you can neither log in to the SIM-MFA portal nor to SuperMUC-NG!

Recommended Solution

We recommend to create a second token for recovery. You may use this token to login to the SIM-MFA portal in order to delete invalid tokens or create new ones. We recommend to use the TAN list printed on a sheet of paper as recovery token.

If you do not have a recovery option, but you have locked yourself out of the portal, then you need to Contact Us.

7. 2FA Glossary and FAQs

Please click here to open the glossary!