Two-Factor Authentication

Overview

The default two-factor (2FA) authentication mechanism on ARC systems requires your PID password as well a second authentication mechanism using Duo. In the simplest case,

  1. A user will be asked to enter their PID password (as was the case prior to 2FA implementation)
  2. An authentication request will then be automatically sent to the user’s default second factor device

An alternative is to type your PID password followed by a comma and a keyword indicating the second factor that you want to use, e.g.

myPassword,phone

A full description of these options is included under “Completing 2-Factor Authentication with LDAP” in 4Help’s Knowledge Based Article on Two-Factor Authentication.

Authentication with SSH public-key

The combination of an ssh public key and a password satisfies the two-factor requirement for accessing ARC systems. ARC users can configure access  between their local machine (e.g. laptop or workstation)  and the remote ARC systems by following the steps shown below (options provided for Linux / Mac and Windows)

  1. Generate an RSA 4096 bit public/private keypair:
    • Linux / Mac:
      • Execute the following command
      • ssh-keygen -t rsa -b 4096
        

        This creates a private key stored in the file  ~/.ssh/id_rsa and a corresponding public key in the file ~/.ssh/id_rsa.pub. You will be prompted to optionally set a passphrase for the key which will be used to encrypt the private key.

      • Copy the contents of the public key for pasting in the next step (e.g. on your computer, highlight and copy the output of cat ~/.ssh/id_rsa.pub).
    • Windows using PuTTY’s key generator
      • Run the the PuTTYgen.exe executable which was installed along with PuTTY. (Hint: right-click the PuTTY shortcut on your desktop and select Open File Location to quickly get to the installation directory)
      • Select SSH-2 RSA and 4096 bits, then click Generate.
      • Optionally add a comment and passphrase for the key.
      • Click Save public key and Save private key to save the keys in a secure location where they will not be lost.
      • Copy the text from the field labeled Public key for pasting into OpenSSH authorized_keys. The public key text begins with “ssh-rsa AAAA…”.
  2. Configure ARC servers to use the public/private keypair you created for SSH sessions:
    • Use your standard PID/password to connect to an ARC login node.
    • In your home directory on the ARC server, open the file ~/.ssh/authorized_keys for editing. You may need to create either the .ssh directory (mkdir ~/.ssh) or the authorized_keys file if either does not already exist.
    • Paste the public key onto its own line in the authorized_keys file, then save and exit. (e.g. On the server, vi ~/.ssh/authorized_keys, press i for insert mode, make a new line and paste the copied data string there, then type the sequence  esc:,w,q, enter to exit insert mode, then save and exit the file.
  3. Final steps
    • Linux / Mac: The client and server should now be configured to authorize ssh connections using the public/private keypair you created. Disconnect from the login node and then attempt a new ssh connection. You should not be prompted for a password.
    • Windows using PuTTY: Configure PuTTY so that SSH sessions to ARC servers use the public/private keypair you created.
      • Open the main PuTTY program and in the main session screen enter the hostname of an ARC login node you will be using.
      • In the configuration, select Data inside the Connection menu.
      • Enter your username for the Auto-login username
      • In the configuration, select Auth inside the SSH menu.
      • In the field asking for Private key file for authentication, enter the path to the private key file you created, or click “Browse” to find it.
      • Return to the main Session screen and under Saved Sessions enter a name and click Save to save the settings.

Users are expected to follow Virginia Tech’s established Password Rules when setting a password on ssh keys to access ARC systems.

SSH Agent

ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA). ssh-agent is started in the beginning of a login session, and all other windows or programs are started as clients to the ssh-agent program. With ssh-agent enabled, users will not need to enter their password every time they need to use the key.

First, if necessary, install keychain on your laptop: “apt-get install keychain”
(Debian/Ubuntu) or “yum install keychain” (RedHat/CentOS; you will
likely need to add an additional repository that contains the keychain
RPM). Next, add the following lines to your .bashrc then logout and
back in:

# Enable ssh-agent
eval $(keychain --eval --agents ssh)

Next, you need to add any SSH keys you use to ssh-agent.

ssh-add -t 9h ~/.ssh/id_rsa

External Collaborators

External users will require sponsored PID to be able to access ARC systems.  External users with a previously existing Virginia Tech PID (e.g. alumni) should use their previously existing PID and refrain from requesting sponsored PID.