Two Factor Authentication (Duo)

1. Introduction

You must either be on the campus network or connected to the UCI campus VPN to access HPC3.

HPC3 is transitioning to two-factor authentication based on UCI’s DUO implementation for password-based logins. Users must already use DUO for most web-based applications and for VPN access.

While security is improved with second-factor authentication, the SSH protocol was never designed for 3rd-party authentication. This means that how ssh behaves is different than a web-based application. A web application that has been secured with DUO redirects you to another a web page where you choose how you want to validate your DUO token (app response on your phone vs. enter a code). SSH servers have no such inherent capability.

Furthermore, SSH supports and HPC3 allows key-based authentication. Because of the way DUO is implemented by the vendor, key-based authentication never requires a second factor.

Because of these limitations, we describe three different scenarios for authenticating to HPC3:

Scenario 1: Scenario 2: Scenario 3:

Password authentication with automated DUO push on your phone

Key-based SSH authentication that never invokes DUO

Password authentication with prompt for DUO push vs. numeric code for DUO authentication

All examples below assume that you have already properly in enrolled and activated you DUO account with UCI. Remember to keep your backup codes in a safe place.

Once you have logged in on the cluster, there is no ssh connection to the compute nodes. See SLURM tutorial which explains how to use slurm commands to achieve the same.

2. Password authentication with automated DUO push

This is the most common mode for DUO authentication, but it requires your phone to have internet access to receive the push notification from DUO and to send your approval/denial back to DUO’s servers. You access HPC3 via your favorite SSH (SCP, SFTP) client from your laptop and then respond to the DUO app on your phone.

In this scenario HPC3 does not prompt you for DUO authentication. Instead the only DUO notification is on your phone.

Step 1 From your laptop open ssh access to hpc3.rcic.uci.edu

To use ssh, you need to use one of Terminal applications and depending on a user laptop they can be:

Linux

use your favorite Terminal application

Mac

Terminal or iTerm2

Windows

PuTTY or MobaXterm

Windows 10

Windows Terminal, Linux Subsystem for Windows or MobaXterm

Step 2 Enter your UCnetID password

Step 3 Press "Approve" on your DUO app when prompted

3. Key-based SSH authentication

If you choose to use key-based authentication for your login, you have additional responsibilities:

  • You must always use ssh-keys with passwords. Use ssh-agent as a convenient way for you to not keep re-entering your password.

  • Ensure that the private SSH key is only on a single device (usually your laptop).

3.1. Connect

SSH is the only way to directly log in to HPC3 for interactive use. Use your UCINetID and associated password to connect to an HPC3 login node (which are several load-balanced, systems) hpc3.rcic.uci.edu.

Your login name can be specified as ether user@hostname or given with the -l option, for example a user with UCINetID panteater can use:

ssh panteater@hpc3.rcic.uci.edu
or
ssh hpc3.rcic.uci.edu -l panteater

3.2. Connect with XForwarding

If you want X-windows graphics to be forwarded through your ssh connection, then you should use the -Y or -X options to your ssh:

ssh -X panteater@hpc3.rcic.uci.edu
or
ssh -X hpc3.rcic.uci.edu -l panteater
Mac users must have XQuartz (standard application) installed in order to use XForwarding.

3.3. Troubleshooting

There are many online guides for ssh:

https://www.ssh.com

troubleshoot ssh problems

set up authorized_keys

use ssh-agent

Please see the HPC3 reference guide for information on submitting jobs, using environment modules, submitting support tickets and more.