Two Factor Authentication (Duo)
1. Introduction
| You must either be on the campus network or connected to the UCI campus VPN to access HPC3. |
HPC3 is transitioning to two-factor authentication based on UCI’s DUO implementation for password-based logins. Users must already use DUO for most web-based applications and for VPN access.
While security is improved with second-factor authentication, the SSH protocol was never designed for 3rd-party authentication. This means that how ssh behaves is different than a web-based application. A web application that has been secured with DUO redirects you to another a web page where you choose how you want to validate your DUO token (app response on your phone vs. enter a code). SSH servers have no such inherent capability.
Furthermore, SSH supports and HPC3 allows key-based authentication. Because of the way DUO is implemented by the vendor, key-based authentication never requires a second factor.
Because of these limitations, we describe three different scenarios for authenticating to HPC3:
| Scenario 1: | Scenario 2: | Scenario 3: |
|---|---|---|
Password authentication with automated DUO push on your phone |
Key-based SSH authentication that never invokes DUO |
Password authentication with prompt for DUO push vs. numeric code for DUO authentication |
All examples below assume that you have already properly in enrolled and activated you DUO account with UCI. Remember to keep your backup codes in a safe place.
| Once you have logged in on the cluster, there is no ssh connection to the compute nodes. See SLURM tutorial which explains how to use slurm commands to achieve the same. |
2. Password authentication with automated DUO push
This is the most common mode for DUO authentication, but it requires your phone to have internet access to receive the push notification from DUO and to send your approval/denial back to DUO’s servers. You access HPC3 via your favorite SSH (SCP, SFTP) client from your laptop and then respond to the DUO app on your phone.
In this scenario HPC3 does not prompt you for DUO authentication. Instead the only DUO notification is on your phone.
Step 1 From your laptop open ssh access to hpc3.rcic.uci.edu
To use ssh, you need to use one of Terminal applications and depending on a user laptop they can be:
Linux |
use your favorite Terminal application |
Mac |
Terminal or iTerm2 |
Windows |
|
Windows 10 |
Windows Terminal, Linux Subsystem for Windows or MobaXterm |
Step 2 Enter your UCnetID password
Step 3 Press "Approve" on your DUO app when prompted
3. Key-based SSH authentication
If you choose to use key-based authentication for your login, you have additional responsibilities:
-
You must always use ssh-keys with passwords. Use ssh-agent as a convenient way for you to not keep re-entering your password.
-
Ensure that the private SSH key is only on a single device (usually your laptop).
3.1. Connect
SSH is the only way to directly log in to HPC3 for interactive use. Use your UCINetID and associated password to connect to an HPC3 login node (which are several load-balanced, systems) hpc3.rcic.uci.edu.
Your login name can be specified as ether user@hostname or given with the -l option, for example a user with UCINetID panteater can use:
ssh panteater@hpc3.rcic.uci.edu or ssh hpc3.rcic.uci.edu -l panteater
3.2. Connect with XForwarding
If you want X-windows graphics to be forwarded through your ssh connection, then you should use the -Y or -X options to your ssh:
ssh -X panteater@hpc3.rcic.uci.edu or ssh -X hpc3.rcic.uci.edu -l panteater
| Mac users must have XQuartz (standard application) installed in order to use XForwarding. |
3.3. Troubleshooting
There are many online guides for ssh:
Please see the HPC3 reference guide for information on submitting jobs, using environment modules, submitting support tickets and more.
4. Quick Links
Please see guides below that provide more information and explain how to get help and how to use HPC3:
