NERSCPowering Scientific Discovery Since 1974

Multi-Factor Authentication (MFA)

Introduction

NERSC is rolling out the option of Multi-Factor authentication (MFA) for NERSC users. After having some selected users test our early implementation last year, we are now entering the "Opt-in" phase after NERSC has implemented MFA in the production systems. Users can freely choose to enable MFA or decide to opt out and use the existing way of authentication via password or ssh keys. Part of this process involves some evaluation/testing by users, to help us identify potential problems and debug our documentation. We appreciate your input. 

About the Implementation

The MFA implementation we have chosen is through LinOTP, a Linux-based solution for multi-factor authentication, and Google Authenticator, an application available for download from Google for mobile phones and devices. Using a time-based one-time password algorithm (TOTP), the authenticator presents a unique one-time password (OTP) that changes every 30 seconds, and each password can only be used for one login.  When you login to an MFA-enabled system, you will enter your NIM password followed by the OTP digits displayed on your Google Authenticator app.

Screen Shot 2017 05 05 at 12.03.01 PM 

Status of MFA on User Systems

Currently, MFA is available on Cori, Edison, Genepool, Denovo and PDSF as well as Data Transfer Nodes that can be accessed through SSH. Users who have opted in the MFA option can ssh to the NERSC machines with MFA. We will expand our  support to NX, web services and GSI (Grid Security Infrastructure) based tools in the future.

Systems / Services MFA Status
Cori Available
Edison Available
Denovo Available
PDSF Available
Genepool Available
Data Transfer Nodes Available
gpweb Available (ssh only)
gpdb Available (ssh only)
NX TBD
NX cloud (https://nxcloud01.nersc.gov) TBD
RStudio (https://rstudio.nersc.gov) TBD
JupyterHubs (https://jupyter.nersc.gov and https://jupyter-dev.nersc.gov) TBD
My NERSC (https://my.nersc.gov) TBD
NERSC Shifter registry (https://registry.services.nersc.gov/) TBD
NERSC Spin registry (https://registry.spin.nersc.gov/) TBD
On-line Help Desk (Service-Now; https://help.nersc.gov) TBD

How to Participate

NERSC's goal for this test is to identify any difficulties encountered in 1) setting up MFA software or 2) accessing NERSC via MFA. Our intent is to provide MFA features that our users find simple, familiar, don't require training. We are asking for users to try this implementation and to ask for help if you get stuck.

You will first have to install and provision your MFA software on your mobile device. If you're not familiar with this software you can learn more about it here or here. Below you'll find instructions on how to install and use GoogleAuthenticator at NERSC.

More detailed login examples follow below

Registering and Using an MFA Token

The steps for registering your token are:

  • Install Google Authenticator on your smart phone or tablet
  • Enable MFA in your NIM account
  • Initialize your One Time Password via the LinOTP server
  • Initialize OTP on Google Authenticator

 

Installing Google Authenticator

Install the Google Authenticator app on your smartphone or tablet.

 

Enabling MFA in NIM

First, you need to select 'MFA Opt In' in your NIM account. Login to your NIM account using your login ID and NIM password at

  https://nim.nersc.gov

Note that, even after you have already opted in, you should use the NIM password only (that is, with no Goole Authenticator OTP) to login to your NIM account. 

Select 'MFA Opt In/Out' under the Actions pull-down menu:

nim mfa opt in 2 

Select 'Enabled' and click the 'Save All Rows' button.

nim mfa enabling 5 

Clicking the 'Contact Information' link above, you will see that the Contact Info page correctly indicates that MFA has been enabled:

mfa enabled nim contact info

 

 

Enrolling TOTP Token

In this step you will connect your mobile device to your NIM account. To do that, go back to the previous page (MFA Opt In/Out). Click the 'Enter and manage MFA Tokens' button. It will display the content of the 'MFA Tokens' tab:

nim mfa enabling05

To add a new token, click on the 'Add Token' button. Then, it will show your NERSC account name in the 'Select User' field. You can add a descriptive text in the 'Enter Token Description'.

nim mfa enabling06

In the above example ("my phone"), the user is trying to generate a token that will be used with the Google Authenticator on a phone. If you have more than one token from different devices, you can add a proper description for each token for your reference.

Click the 'Submit' button. Then, the webpage will display a token and a QR code that is to be scanned into your device. Note the token ID (TOTP22856A68 in the following example).

nim mfa enabling07

 Start up Google's "Authenticator" app on your device and click the red (+) button on the bottom right (in case of an Android phone), then "Scan a barcode".

googleauthenticator1b

If necessary, allow the app to access your camera, and point the camera at the QR code.  It should register automatically and then show the new token in your list. Your phone is now connected to your NIM account for MFA logins. 

NOTE: On Apple devices look for the "+" sign at the top right of the app.

When you add the token on your device, the token name, in the form of NERSC-nersc_login_id-token_id (NERSC-wyang-TOTP22856A68 in the above example), appears in the far left side under the token list on your device.

To test if the new token is set correctly, click on the token in NIM. This will show detailed information about the token along with the 'Test' and 'Delete' buttons. Click on the 'Test' button, and you will see the following:

nim mfa testing01

Enter the one time password generated on the Google Authenticator in the 'Enter One-Time-Password' field. Then, click on the 'Test Now' button. If everything is successfully set, NIM page will show 'Success':

nim mfa testing02

 

Multiple Tokens

If you have more than one mobile device, you can create multiple tokens, each to be used with a different device. For example, you can have one for each phone and also for a tablet, as shown below:

nim mfa tokens

When you login to NERSC resources, you can use any token for authentication.

 

Checking and Managing Tokens

You can view all the tokens you have created from the 'MFA Tokens' tab in NIM.

 

Deleting a Token

If you don't need a token any more, you can delete it. Select the token in NIM that you want to remove and press the 'Delete' button.

If you want to delete all tokens, then click the 'Delete All' button under the MFA Tokens tab.

 

Login to NERSC Machines

When you try to login with ssh to a NERSC machine, you will be prompted to enter "OTP":

$ ssh cori.nersc.gov
 *****************************************************************
 *                                                               *
 *                      NOTICE TO USERS                          *
 *                      ---------------                          *
...
Password + OTP: 

Start Google Authenticator and read the 6-digit code corresponding to the token generated for your device (for example, 'NERSC-wyang-TOTP22856A68' in the previous snapshot):

googleauthenticator4

Enter your NIM password immediately followed by the 6-number Google Authenticator OTP number all in one line at the "Password + OTP: " prompt. For example, if your NIM password is “iL0ve_Burrit0$” and your app shows "015 691", as displayed in the screenshot, you must type “iL0ve_Burrit0$015691”. (Don't type the space shown in the app).

After you log in, you can build your code, submit batch jobs, debug your code, etc. as you would normally do on any login node.

You can transfer a file to or from a NERSC machine with scp, too:

$ scp myfile edison.nersc.gov:~/
 *****************************************************************
 *                                                               *
 *                      NOTICE TO USERS                          *
 *                      ---------------                          *
...
Password + OTP:

Enter your NIM password followed by the Google code concatenated as a single word.

 

Host Based Authentication

Once you log in to a NERSC machine successfully, you can ssh to another host from there. But this time, Host based authentication among NERSC hosts kicks in, which allows to login to other NERSC hosts without further authentication from users, as shown below:

$ ssh cori.nersc.gov
 *****************************************************************
 *                                                               *
 *                      NOTICE TO USERS                          *
 *                      ---------------                          *
...
Password + OTP: $ nersc_host # You're on Cori cori $ ssh edison ***************************************************************** * * * NOTICE TO USERS * * --------------- * ... $ nersc_host # You're now on Edison edison

 

SSH Control Master

Unlike using passphraseless ssh with ssh-agent, with MFA, users will have to do authenticate for each ssh connection, which will make them spend more time. We are currently working to provide a single sign-on capability in the future, which will allow users to authenticate via MFA just once for all subsequent connections to NERSC hosts and services.

Until that time, a viable temporary solution would be to use SSH's Control Master feature, also called SSH multiplexing. This is to establish an ssh connection to a host through a normal authentication method ("master connection"), and then piggyback on the connection for subsequent ssh connections with no further authentication ("client connections" or "slave connections").

To use this feature, you need to set the ssh Control Master option in the ssh configuration on your local desktop/laptop. In a Linux-like platform, you can set the following in ~/.ssh/config:

$ cat ~/.ssh/config
Host cori.nersc.gov edison.nersc.gov
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
<...Other configurations you may have...>

...

The above example is to enable Control Master for two hosts, cori.nersc.gov and edision.nersc.gov (you can customize the list), and to set the name for a socket file which is created when the master connection is open to be used for client connections. A socket file will be created in the ~/.ssh directory on the local machine, with the name %r@%h:%p for your_nersc_login_id@nersc_host_address:port_number. Please read the ssh_config man page for other configuration possibilities.

With this setting, you connect to a NERSC host from one terminal window on your desktop/laptop:

$ ssh cori.nersc.gov
 *****************************************************************
 *                                                               *
 *                      NOTICE TO USERS                          *
 *                      ---------------                          *
...
Password + OTP: 
$

You can see that a socket file was indeed created on your local machine:

$ ls -l ~/.ssh
...
srw-------  1 wyang  wyang      0 Jan 11 20:26 wyang@cori.nersc.gov:22=
...

Then, run the ssh command from another terminal window for another ssh connection. This time, you will not be asked to authenticate.

$ ssh cori.nersc.gov                # no authentication required
...[MOTD messages]...
$ 

You can open yet another ssh or scp connection from another terminal window:

$ scp myfile cori.nersc.gov:~/      # no authentication required
myfile                                        100%  229    57.1KB/s   00:00 
$ 

Keep in mind that, to use a client ssh connection, you have to keep the master connection open. If the initial connection is terminated, all the other connections will be closed. This behavior can be overridden when you set ControlPersistent to a certain value in ~/.ssh/config: 'yes' or '0' to keep the master connection in the background indefinitely, or a time value as in '2h' to keep for the specified time. Also, since multiple ssh sessions share one TCP connection, a large data transfer in one session will impact the others, and, therefore, should be avoided if possible.

For more information on the Control Master feature, please read the ssh_config man page.

If your local desktop or laptop is a Windows machine and you use PuTTY as a ssh client, mark the 'Share SSH connections if possible' checkbox in the SSH Connections options section (Connection → SSH from the Category frame on the left).

ssh putty multiplexing

Coming in September, 2018

We are rolling out several new technologies which will make MFA easier to use and provide support for automated workflows.  For example, you will be able to authenticate using MFA just once per day, instead of every time you login.

SSH proxy certificate for accessing computational systems

The sshProxy is NERSC-developed solution to provide single sign-on ssh capability, and enable automated workflows. With sshProxy, you can get an ssh key (using MFA) that you can use for a limited amount of time (default of 24 hours). You can use the key to access NERSC systems (e.g., Cori, Edison, Genepool, ...) via ssh, without further authentication. Options will be available to request keys with longer lifetimes if you have a specific need.

MFA for MyProxy

The MyProxy utility for obtaining a short-lived Grid certificate from NERSC CA (Certificate Authority) in order to use Grid tools will support MFA authentication. This will increase security for MyProxy authentication.

MFA support in Shibboleth for web-based services

Similar single sign-on capability for accessing various NERSC web-based services (NIM, MyNERSC, Science Gateways, etc.) will be possible via Shibboleth technology, and MFA will be supported in authentication there. No further authentication is required for any Shibbolized sites for the next 24 hours.

MFA will be enforced for logging into a NIM account at https://www.nim.nersc.gov.

HPSS tokens

A token will be generated with MFA and can be used for accessing HPSS systems.

Other services

  • MFA will be enabled for Jupyter and Jupyter-dev.
  • NX will support MFA.

Questions, Comments, ...

If you have any questions, problems or comments, please contact consult@nersc.gov or nersc-mfa-implementation@lists.lbl.gov.