Two-Factor Authentication on the Linux Cluster

Page Content

1. Status

Two-Factor Authentication is enabled on all Linux Cluster login nodes!

2. Overview

In view of increasing security risks, we are forced to strengthen the security measures. In order to improve the security of our HPC systems, we have changed the authentication procedure on all login nodes to two-factor authentication (2FA) as of July 11, 2023. For all users the Linux Cluster is only accessible with 2FA.
In order to use 2FA on the Linux Cluster, you need to configure it in advance! That procedure comprises two steps: Registration of the token(s) at LRZ SIM-MFA portal and configuration on your local device. A "token" is a piece of hardware or software that serves as a second factor in authentication. Tokens for 2-factor authentication must first be registered on the SIM-MFA web portal at LRZ before they can be used for authentication on a LRZ service. 2FA will not replace the conventional ssh method with password or public key. Rather, it will ask you for a second factor on top of the conventional login credentials. This documentation will guide you through these steps.

The introduction of two-factor authentication will have impact on the procedure of accessing the Linux Cluster. Automatic (data transfer) workflows between your local computer and the login node may no longer work! Please Contact Us and report issues.

3. Problems? Questions? Contact Us Here!

If you have any questions or problems regarding 2FA on Linux Cluster login nodes, we kindly ask you to...

  • Check the FAQ section for possible solutions.
  • Contact us via Servicedesk. After login to the Selfservice portal, just choose "Incident: I have login problems" from the drop-down list and continue.

4. Step-by-Step Instruction of 2FA Configuration

4.1. Recommended Procedure

Software tokens on mobile devices are most popular.

Please consider: The smartphone may be broken, you may loose it or the 2FA app may no longer work and has to be reinstalled. Then, you have locked yourself out of LRZ services! That is, you are no longer able to login to the Linux Cluster or to the LRZ SIM-MFA web portal to manage your tokens.

We strongly recommend to create multiple tokens! For example, create a software token on your mobile device and an additional recovery token as fallback solution. Please read here for details!

4.2. Supported 2FA methods on the Linux Cluster

Numerous authentication methods are available. You may choose any token available in the SIM-MFA portal. However, please consider that we only offer support concerning configuration and usage for the following list of tokens!

Recommended

Tokens

for

Login

Procedures

TOTP token: An authenticator app on your mobile device continuously generates new Time-based One Time Passwords, which can be used as a second factor at ssh login to the Linux Cluster.


Hardware token YubiKey
: This is an individually configured USB-Key for each user. When asked by the ssh login, touching this hardware token will provide the second factor. The login procedure completes.

This method requires the purchase of the hardware token YubiKey as well as some more advanced configuration steps.

LRZ does not provide YubiKeys! We recommend to use that method if you cannot meet the requirements of TOTP or PUSH method, such as missing mobile device.

Recommended

Recovery

Token

TAN list: The SIM-MFA portal will generate a list of 100 TANs which you need to download. We recommend to print it on a sheet of paper. You may use this list as recovery token. Each TAN can only be used once!

Additional

Token

(limited support) 

PUSH token: Your ssh login to the Linux Cluster triggers a notification sent to your mobile device. By accepting the notification the second factor will be sent back to the LRZ server and the login procedure completes automatically.

Due to dependency on third-party software (notification service), we provide limited support for this token!

4.3. Configuration of 2FA Method

  1. Regardless of the 2FA method chosen, you have to register/login in the SIM-MFA web portal in order to create and configure 2FA tokens! Click here to login to the SIM-MFA web portal.

    Please login to the SIM-MFA portal with exactly the same user ID (account) that you will need to access the Linux Cluster, i. e. the user ID with Linux Cluster permission!

  2. According to our policy, the use of a second device (e. g. your mobile device, a Yubikey or a TAN list) for provision of the second factor is mandatory!

    Select one of the following methods to proceed with the configuration of the 2FA token of your choice in SIM-MFA portal as well as on your local device.

    Please carefully read the instructions and recommendations!

5. Login to the Linux Cluster

Step 1: Login via SSH

You may use SSH password authentication or SSH public-key authentication. All login rules via Secure Shell on LRZ HPC Systems still apply.
Public-key authentication needs to be adjusted by adding the port 2222 to the ssh command!
The following example shows lxlogin1. Please refer to the list of login nodes

Login via password authentication
$ ssh userID@lxlogin1.lrz.de
Password:
Explanation
<-- Enter ssh command!
<-- Enter the password of your account here!
Login via public-key authentication
$ ssh -p 2222 userID@lxlogin1.lrz.de
Explanation
<-- Enter ssh command!

Step 2: Apply second factor

2FA Prompt
Token_Response:
Explanation
<-- Apply second factor here using the 2FA method you have chosen (TOTP, PUSH, YubiKey, TAN)!
 

  1. Start the authenticator app on your mobile device.

  2. Enter the One-Time Password, displayed by the authenticator app, in the terminal.

NOTE

Timing is important! Please do not enter an OTP which is no longer valid!

  1. When asked for second factor on the terminal, you have to press <ENTER> in order to receive the push notification! Do not enter something else, e. g. the word "PUSH"!

  2. Start the authenticator app on your mobile device.

  3. Accept the push message.
  1. Connect the YubiKey to your computer and touch the button. The login procedure completes.

Done!

After logging in, you are in your HOME directory and can work on the Linux Cluster as usual.

6. Token Recovery Procedure

Problem Description

Once you have generated a token in the SIM-MFA web portal, you may only log in to the SIM-MFA portal with 2FA. Single-factor authentication is then no longer possible!

Typical use case:
You are generally using TOTP or PUSH but have lost this software token, e. g. by removing the authenticator app on your mobile device or losing the mobile device. Now, you can neither log in to the SIM-MFA web portal nor to the Linux Cluster!
You have locked yourself out!

Recommended Solution

We recommend to create a second token for recovery. You may use this token to login to the SIM-MFA portal in order to delete invalid tokens or create new ones. We recommend to use the TAN list printed on a sheet of paper as recovery token. Simply use a TAN from the list to log in.

If you do not have a recovery option, but you have locked yourself out of the portal, then you need to Contact Us.

7. 2FA Glossary and FAQs

Please click here to open the glossary and the FAQs!