NERSC Multi-Factor Authentication It's easy! Abe Singer - - PowerPoint PPT Presentation

nersc multi factor authentication
SMART_READER_LITE
LIVE PREVIEW

NERSC Multi-Factor Authentication It's easy! Abe Singer - - PowerPoint PPT Presentation

Sep 26, 2022 826 likes •1.07k views

NERSC Multi-Factor Authentication It's easy! Abe Singer 2018-11-01 MFA in Brief MFA will be required starting with new allocation year MFA == Password + One Time Password (OTP) Protects your account against password

slide-1
SLIDE 1

NERSC Multi-Factor Authentication

Abe Singer

2018-11-01

It's easy!

slide-2
SLIDE 2

2

MFA in Brief

  • MFA will be required starting with new allocation year
  • MFA == Password + One Time Password (OTP)

○ Protects your account against password theft/guessing

  • No special hardware required, uses (free) phone/tablet app
  • Configure with NIM in just a few minutes
  • semi single sign-on (SSO) across NERSC

○ sshproxy: SSO for ssh ○ Shibboleth and NEWT: SSO for websites

  • Supported across virtually all of NERSC

○ Coming soon: myProxy, HPSS tokens, Jupyter, NX

slide-3
SLIDE 3

Using MFA

3

slide-4
SLIDE 4

4

Google Authenticator

OTP, changes every 30 seconds Serial Number (identifier) Time remaining

slide-5
SLIDE 5

5

Using MFA: ssh

DOE6748468:~ abe$ ssh cori.nersc.gov ***************************************************************** * * * NOTICE TO USERS * * --------------- * Password + OTP: Last login: Wed Oct 31 21:02:26 2018 from 71.143.193.229

  • ---------------------------- Contact Information ----------------

NIM.password157712 abe@cori07:~>

slide-6
SLIDE 6

6

sshproxy

  • Entering OTP every time isn't very friendly with scripts/workflows
  • sshproxy

○ Service developed by NERSC ○ You use MFA to obtain an ssh key that expires after 24 hours

■ MFA once, run everywhere (at NERSC) ■ Use sshproxy again when key expires

○ Leverages ssh certificates

NERSC-supplied bash client script does all the work

slide-7
SLIDE 7

abe$ ssh -i ~/.ssh/nersc cori.nersc.gov ***************************************************************** * * * NOTICE TO USERS *

7

Using MFA: sshproxy

abe$ sshproxy.sh Enter your password+OTP: NIM.password157712 abe@cori07:~> Successfully obtained ssh key /Users/abe/.ssh/nersc Key is valid: from 2018-11-01T04:36:00 to 2018-11-02T04:37:51 abe$ ls ~/.ssh config id_rsa.pub nersc nersc.pub id_rsa known_hostsnersc-cert.pub

slide-8
SLIDE 8

8

Using MFA: ssh config (less typing)

Host cori cori.nersc.gov Hostname cori.nersc.gov IdentityFile ~/.ssh/nersc

~/.ssh/config

slide-9
SLIDE 9

9

Using MFA: Shibboleth

slide-10
SLIDE 10

10

slide-11
SLIDE 11

Enabling MFA

11

slide-12
SLIDE 12

12

Enabling MFA

slide-13
SLIDE 13

13

Enabling MFA (cont.)

slide-14
SLIDE 14

14

Creating a "token"

slide-15
SLIDE 15

15

Creating a token (cont.)

slide-16
SLIDE 16

16

Creating a token (cont).

slide-17
SLIDE 17

17

Creating a token (cont).

slide-18
SLIDE 18

18

Creating a token (cont).

slide-19
SLIDE 19

19

Creating a token (cont).

slide-20
SLIDE 20

20

Additional details

  • sshproxy keys >24 hours with justification and authorization
  • Desktop app ("authy") for the smartphone-less
  • "Backup" OTP passwords for when you leave your mobile at home
  • Token "reset" for when you lose/replace your device(s)
  • Hardware token (yubikey) supported

○ You have to purchase (~$40) and configure ○ Requires desktop software ○ Kindle Fire is only slightly more ($50)

■ And you can play games on it too!

  • Exceptions to MFA available if necessary

○ Tell us why MFA can't work for you

slide-21
SLIDE 21

Any Questions?

21

  • https://www.nersc.gov/users/connecting-to-nersc/mfa/

○ Or google "NERSC MFA"

  • Any questions?
slide-22
SLIDE 22

Thank You

22