Multi-Factor Authentication (MFA)

Introduction

To access CSCS services and systems users are required to authenticate using multi-factor authentication (MFA). MFA is implemented as a two-factor authentication, where one factor is the login and password pair ("the thing you know") and the other factor is the device which generates one-time passwords (OTPs, "the thing you have"). In this way security is significantly improved compared to single-factor (password only) authentication.

How MFA works at CSCS

The MFA workflow uses a time-based one-time password (OTP) to verify identity. An OTP is a six-digit number which changes every 30 seconds. OTPs are generated using a tool installed on a device other than the one used to access CSCS services and infrastructure. We recommend to use a smartphone with an application such as Google Authenticator to obtain the OTPs.

Setting up MFA at CSCS

MFA is being introduced gradually to all CSCS users: you will receive an email to inform you about the procedure. The next time you log in to any of the CSCS web applications such as UMP, Jupyter, etc., you will be asked to register your device.

Firstly, you will be asked to provide a code that you received by email. After this validation step, you will need to scan a QR code with your mobile phone using an application such as Google Authenticator. Lastly, you will need to enter the OTP from the authenticator application to complete the registration of your device. From then on, two-factor authrentication will be required to access CSCS services and systems. A more detailed explanation of the registration process is provided in the next section.

Authenticator application

CSCS supports authenticators that follow an open standard called TOTP. The recommended way to access such an authenticator is to install an application on your mobile phone. Google Authenticator and FreeOTP have been tested successfully; however, if you are using a different mobile application for OTPs, feel free to continue using it - given it supports the TOTP standard.

You can download Google Authenticator for Android on the Google Play Store; or Google Authenticator for Apple iOS on the Apple Store.

Configuring the authenticator

The following is the procedure to setup OTP :

Pre-requisites:

1. Invitation email from CSCS for MFA enrollment (A notification email will be sent atleast one week before we sent the invitation email)
2. Install the OTP Authenticator app on your mobile device

Notes:

• If you miss the invitation email but tried to access any of our web applications you will be self driven to enroll for OTP
• If you miss the invitation email but trying to access SSH with legacy approach, you will be prompted with permission denied error.

Steps:

1. Access any of the CSCS Web applications such as UMP, Jupyter, etc., on a new browser session which will redirects you to the CSCS login page.
2. Log in with your username and password.
3. You will be asked to key in a code which CSCS Authentication system sent to you by email; after successfaul validation of the code you will be redirected to the next page which present a QR code.
4. Scan the QR code with the authenticator app that was installed on your mobile device and after scanning the QR code the authenticator app will start generating a new 6 digit OTP every 60 seconds.
5. To complete the OTP registration process, please enter the 6 digit OTP from the authenticator app at the bottom of the the same QR code page. Optionally, you can input your device name where you imported the OTP seed by scanning the QR code
6. On successful registration you will be logged into the CSCS web application that you accessed in step-1

Identity verification

 Registering your device

Using MFA to access web-based services

After having completed the setup of your authenticator, you will be asked to enter your login/password and the OTP to access all web-based services.

1. You enter your first factor: login and password.
2. On success, you enter the second factor: 6-digit code obtained from your device.

Authentication with 2nd factor

Smartphone replacement - MFA and Authenticator app
When you are replacing your smartphone remember to sync the authenticator app before resetting the old smartphone. Otherwise, you will have to reset the CSCS MFA, by opening a ticket

Using MFA to SSH into systems

The introduction of MFA also affects connection with SSH to CSCS systems. It is no longer possible to authenticate with a username/password and user-created SSH keys: it is necessary to use a certified SSH key created by a CSCS SSHService. Keys are valid for 24 h, after which a new key must be generated through our SSHService GUI or by using a command-line script.

The number of certified SSH keys is limited to 5 per day. Once you have reached this number you will not be able to generate new keys until at least one of these key expires or keys are revoked (see the corresponding FAQ on the User Portal).

This involves two step-A & Step-B as explained below,

Step-1. Obtaining the certified SSH keys using either of the following ways:

(Option-1) Using Web-based SSHService

a. Access the SSHService web application by accessing the URL, https://sshservice.cscs.ch
b. Follow the authentication instructions.
c. Select "Signed key" on the left tab and click on "Get a signed key"
d. On the next page a key pair is generated and ready to be downloaded. Download or copy/paste both keys.

 Creating and downloading signed keys

e. Setup the keys on your local machine:

mv /download/location/cscs-key-cert.pub ~/.ssh/cscs-key-cert.pub
mv /download/location/cscs-key ~/.ssh/cscs-key 
chmod 0600 ~/.ssh/cscs-key

(Option-2) Using SSHService Command-line

On Linux and MacOS, the SSH keys can be generated and automatically installed using a command-line script. This script is provided in pure Bash and in Python. Python 3 is required together with packages listed in the file requirements.txt provided with the scripts. We recommend to use a virtual environment for Python.

a. Obtain the scripts by cloning the following repository:

git clone https://github.com/eth-cscs/sshservice-cli

b. Execute either the Bash script or Python script as shown below:

Bash version:

./sshservice-cli/cscs-keygen.sh

Python version:

python -m venv mfa
cd mfa
source bin/activate
git clone https://github.com/eth-cscs/sshservice-cli
cd sshservice-cli
pip install -r requirements.txt
python cscs-keygen.py

The above in Python version is for one off only and from then onwards to generate/download the keys use the below commands,

source mfa/bin/activate
cd mfa/sshservice-cli
python cscs-keygen.py

c. Follow the interactive script and download the key pair by providing the authentication information (username, password, OTP). Please note the script generates the key pair inside the .ssh directory of your local home folder:

ls -latr ~/.ssh/

Step-2. Accessing CSCS systems using the certified SSH keys

Please follow the below options on Linux or MacOS,

i. Setup a passphrase on the private key using the following,

ssh-keygen -f ~/.ssh/cscs-key -p

ii. Add the key to the SSH agent (Make sure ssh agent is up & running or else please execute  eval $(ssh-agent)),

ssh-add -t 1d ~/.ssh/cscs-key

iii. Connect to the login node 'ela', using the following ssh command

ssh -A cscs_username@ela.cscs.ch

iv. Jump to cluster from ela using the following command

ssh <dom> or <daint> or <etc...>

Frequently encountered Login errors

1. If you see the message "Too many authentication failures" you may have too many keys in your ssh agent. You should remove the unused keys from the agent or flush them all with the following command:

ssh-add -D

2. If a user is attempting to access CSCS systems with SSH using an expired key, then SSH will fail with an error message as follows:

Permission denied ...

The validity of the key can be checked with the command

3. If you see the message "Could not open a connection to your authentication agent" while adding the keys to your agent, Please make sure the agent is up, and if not bring up the agent using the following command,

eval $(ssh-agent)

ssh-keygen -L -f ~/.ssh/cscs-key-cert.pub
Type: ssh-ed25519-cert-v01@openssh.com user certificate
        Public key: ED25519-CERT SHA256:pF3znTpw2EyGkjeCLnhXqGjf0Ar0RXcomyVN+kxmZmI
        Signing CA: ED25519 SHA256:BwybyU6cNJBS7AX6BdwgJV2emGDV4lkKY4413WRGboY (using ssh-ed25519)
        Key ID: "username"
        Serial: 0
        Valid: from 2021-09-30T09:31:26 to 2021-10-02T09:31:26  <= this line shows the validity
        Principals:
                username
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Using MFA on a Windows system

The instructions in the previous sections focused on users working with Linux/Mac OS. Windows users can find a short guide MFA with Windows, describing tested workflows and tools compatible with CSCS MFA.

Artifacts from the Webinar on Multi Factor Authentication & SSH Key Service at CSCS

For the users who missed our webinar on Dec 5th, 2022 we provide the video recording here.

The powerpoint which we presented to the audience in the webinar on Dec 5th, 2022 is attached here for reference to users.

Also attaching here the pdf with the questions we gathered from the webinar along with CSCS responses.

CSCS Systems enabled with MFA/SSHService configuration

The following CSCS Systems are currently enabled with MFA/SSHService sshd configuration:

• ela
• dom
• daint
• eiger
• clariden

In order to access other systems, you might still need to use the legacy approach for SSH access.

Process for requesting a long term key (Deprecating)

• Please open a ticket in case if you already hold a service account that is performing automation on your application side which needs a long term key.
• Please open a ticket if you need a key pair that is valid for 7 days and if you are running workflows using some sort of automation tools/scripts.

Notes: We are encouraging users to migrate to FirecREST for submitting jobs through automation workflows. Meanwhile users porting their workflows to FirecREST we still support users with the Long term keys and 7 days key.

Reset OTP or register a new device/authenticator app

• Please follow this document to reset OTP