Two-Factor Authentication on the Linux Cluster
1. Status
Two-Factor Authentication is enabled on all Linux Cluster login nodes!
2. Overview
In view of increasing security risks, we are forced to strengthen the security measures. In order to improve the security of our HPC systems, we have changed the authentication procedure on all login nodes to two-factor authentication (2FA) as of July 11, 2023. For all users the Linux Cluster is only accessible with 2FA.
In order to use 2FA on the Linux Cluster, you need to configure it in advance! That procedure comprises two steps: Registration of the token(s) at LRZ SIM-MFA portal and configuration on your local device. A "token" is a piece of hardware or software that serves as a second factor in authentication. Tokens for 2-factor authentication must first be registered on the SIM-MFA web portal at LRZ before they can be used for authentication on a LRZ service. 2FA will not replace the conventional ssh method with password or public key. Rather, it will ask you for a second factor on top of the conventional login credentials. This documentation will guide you through these steps.
The introduction of two-factor authentication will have impact on the procedure of accessing the Linux Cluster. Automatic (data transfer) workflows between your local computer and the login node may no longer work! Please Contact Us and report issues.
3. Problems? Questions? Contact Us Here!
If you have any questions or problems regarding 2FA on login nodes, we kindly ask you to...
- Check the FAQ section for possible solutions.
- Contact us via Servicedesk.
I am a Linux Cluster user | I am HPDA (DLR TERRABYTE) user | |||
Click here to open a ticket at LRZ Servicedesk! (then choose "Incident: I have login problems") |
Click here to open a ticket at DLR Terrabyte Servicedesk! | |||
|
4. Step-by-Step Instruction of 2FA Configuration
4.1. Recommended Procedure
Software tokens on mobile devices are most popular.
Please consider: The smartphone may be broken, you may loose it or the 2FA app may no longer work and has to be reinstalled. Then, you have locked yourself out of LRZ services! That is, you are no longer able to login to the Linux Cluster or to the LRZ SIM-MFA web portal to manage your tokens.
We strongly recommend to create multiple tokens! For example, create a software token on your mobile device and an additional recovery token as fallback solution. Please read here for details!
4.2. Supported 2FA methods on the Linux Cluster
4.3. Configuration of 2FA Method
-
Regardless of the 2FA method chosen, you have to register/login in the SIM-MFA web portal in order to create and configure 2FA tokens! Click here to login to the SIM-MFA web portal.
Please login to the SIM-MFA portal with exactly the same user ID (account) that you will need to access the Linux Cluster, i. e. the user ID with Linux Cluster permission!
Do you have multiple user IDs? Then, you must configure 2FA for each user ID seperately! -
According to our policy, the use of a second device (e. g. your mobile device, a Yubikey or a TAN list) for provision of the second factor is mandatory!
Select one of the following methods to proceed with the configuration of the 2FA token of your choice in SIM-MFA portal as well as on your local device.
Please carefully read the instructions and recommendations!
5. Login to the Linux Cluster
Step 1: Login via SSH |
||
You may use SSH password authentication or SSH public-key authentication. All login rules via Secure Shell on LRZ HPC Systems still apply.
Login via password authentication
$ ssh userID@lxlogin1.lrz.de Password:
Explanation
<-- Enter ssh command! <-- Enter the password of your account here!
Login via public-key authentication
$ ssh -p 2222 userID@lxlogin1.lrz.de
Explanation
<-- Enter ssh command! |
||
Step 2: Apply second factor |
||
2FA Prompt
Token_Response:
Explanation
<-- Apply second factor here using the 2FA method you have chosen (TOTP, PUSH, YubiKey, TAN)! |
||
|
|
|
NOTE Timing is important! Please do not enter an OTP which is no longer valid! |
|
|
Done! After logging in, you are in your HOME directory and can work on the Linux Cluster as usual. |