Page History

...

Firstly, you will be asked to provide a code that you received by email. After this validation step, you will need to scan a QR code with your mobile phone using an application such as Google Authenticator. Lastly, you will need to enter the OTP from the authenticator application to complete the registration of your device. From then on, two-factor authrentication will be required to access CSCS services and systems. A more detailed explanation of the registration process is provided in the next section.

...

Authenticator application

...

e. Setup the keys on your local machine:

mv /download/location/cscs-key-cert.pub ~/.ssh/cscs-key-cert.pub
mv /download/location/cscs-key ~/.ssh/cscs-key 
chmod 0600 ~/.ssh/cscs-key

...

(Option-2) Using SSHService Command-line

...

b. Execute either the Bash script or Python script as shown below:

Bash version:

./sshservice-cli/cscs-keygen.sh

Python version:

python -m venv mfa
cd mfa
source bin/activate
git clone https://github.com/eth-cscs/sshservice-cli
cd sshservice-cli
pip install -r requirements.txt
python cscs-keygen.py

...

The above in Python version is for one off only and from then onwards to generate/download the keys use the below commands,

source mfa/bin/activate
cd mfa/sshservice-cli
python cscs-keygen.py

...

c. Follow the interactive script and download the key pair by providing the authentication information (username, password, OTP). Please note the script generates the key pair inside the .ssh directory of your local home folder:

...

Please follow the below options on Linux or MacOS,

i. Optional but recommended to setup Setup a passphrase on the private key using the following,

...

ii. Add the key to the SSH agent (Make sure ssh agent is up & running or else please execute "  eval $(ssh-agent ")),

ssh-add -t 1d ~/.ssh/cscs-key

...

The validity of the key can be checked with the command

3. If you see the message "Could not open a connection to your authentication agent" while adding the keys to your agent, Please make sure the agent is up, and if not bring up the agent using the following command,

eval $(ssh-agent)

ssh-keygen -L -f ~/.ssh/cscs-key-cert.pub
Type: ssh-ed25519-cert-v01@openssh.com user certificate
        Public key: ED25519-CERT SHA256:pF3znTpw2EyGkjeCLnhXqGjf0Ar0RXcomyVN+kxmZmI
        Signing CA: ED25519 SHA256:BwybyU6cNJBS7AX6BdwgJV2emGDV4lkKY4413WRGboY (using ssh-ed25519)
        Key ID: "username"
        Serial: 0
        Valid: from 2021-09-30T09:31:26 to 2021-10-02T09:31:26  <= this line shows the validity
        Principals:
                username
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

...

Using MFA on a Windows system

...

The following CSCS Systems were are currently enabled with MFA/SSHService sshd configuration and for :

• ela
• dom
• daint
• eiger
• clariden

In order to access other systems, you might still need to use the legacy approach to access through SSH,

• ela
• dom
• daint
• eiger
• clariden

for SSH access.

Process for requesting a long term key (

...

Deprecating)

• Please open a ticket in case if you already hold a service account that is performing automation on your application side which needs a long term key.
• Please open a ticket if you need a key pair that is valid for 7 days and if you are running workflows using some sort of automation tools/scripts.

...

Reset OTP or register a new device/authenticator app

• Please open a ticket and our support team will instruct you the steps follow this document to reset your OTP