MultiFactor Authentication (MFA)¶
Mandatory MultiFactor Authentication (MFA) will be introduced to CSD3 and storage services logins on 1st November 2022 (which is a day of planned full maintenance).
- What does this mean?
- What do I need to do?
- Walkthrough - SSH to multi.hpc.cam.ac.uk
- Will I need to change my working practices?
- What should I do when I change my phone?
- How do I reset my TOTP for SSH to CSD3?
- Frequently asked questions (FAQ)
What does this mean?¶
When CSD3 returns to service following the full maintenance on 1st November, all passwords and SSH keys will work as before, but in addition a Time-based One-Time Password (TOTP) code will be requested. This is a six digit number, refreshed every 30 seconds, which is generated typically by an app running on your mobile phone. Thus authentication will then require at least two “factors”, i.e. either password or SSH key (the first factor), plus TOTP (the second factor).
Two common such mobile apps (available from mobile app stores and tested by us) are Google Authenticator and Microsoft Authenticator, which indeed you may already have and be using for other services.
The second (TOTP) factor can be configured before 1st November and we recommend you do this, but it is possible that you already have a working TOTP for CSD3.
What do I need to do?¶
I already have TOTP for login-web.hpc.cam.ac.uk¶
Any user of login-web who has already set up TOTP for use there should find that the same TOTP will work for SSH login to CSD3, i.e. that no further action is required. A TOTP created for use with login-web appears as CSD3 (your username) in your authenticator app.
I already use TOTP for other services¶
If you already use TOTP to access other services, and have a mobile application supporting TOTP to enable its use, then you may be able to login to multi.hpc.cam.ac.uk and feed the QR code or secret key this generates into your existing application. This should create a new account in your app appearing as CSD3 (SSH Login).
Please note that we have only verified this with Google Authenticator and Microsoft Authenticator.
Walkthrough - SSH to multi.hpc.cam.ac.uk¶
When you are ready to configure TOTP, log into the special node multi.hpc.cam.ac.uk. Do this just as you would for SSH login to e.g. login.hpc.cam.ac.uk, using your existing first factor. The sole function of this node is to set up TOTP if you currently have none configured.
The first time you connect to multi.hpc.cam.ac.uk (as for any new destination with SSH) you will see a message similar to this:
The authenticity of host 'multi.hpc.cam.ac.uk (184.108.40.206)' can't be established. ED25519 key fingerprint is SHA256:nFVSXK+VRGCaUupQEdhXzO6kp01m2fzzmbgPr0sc2so.
Please check that the fingerprint listed matches one of those listed as current at https://docs.hpc.cam.ac.uk/hpc/user-guide/hostkeys.html.
You may also see additional lines like the following:
This host key is known by the following other names/addresses: ~/.ssh/known_hosts:18: login.hpc.cam.ac.uk (4 additional names omitted)
This is to be expected as all login nodes on CSD3 share a single set of host keys. Provided the key fingerprint is current it is ok to respond yes to the final question:
Are you sure you want to continue connecting (yes/no/[fingerprint])?
If TOTP is already configured for your account, a message will be printed and the connection closed:
Otherwise, a QR code and secret key will be printed, either of which can be given to your mobile app. We suggest the QR code is the easier to use, as the app will ask you to simply point your phone camera at it (the secret key on the other hand needs to be typed in).
Both Google Authenticator or Microsoft Authenticator display a ‘+’ icon for adding a new account:
- Google Authenticator then presents a choice of Scan a QR code or Enter a setup key, i.e. either point your phone camera at the displayed QR code, or type in the “secret key”, respectively.
- Microsoft Authenticator presents a choice of new account type, choose Other account. This will activate the camera - point it at the displayed QR code.
Please be careful not to point your camera at the example QR code displayed on the web page, as it will happily read it but this code is not valid for any purpose. You want to use your QR code from your login session to multi.hpc.cam.ac.uk.
The correct TOTP created in this way will appear in your mobile app under the account CSD3 (SSH Login). Please note that a TOTP created for use with login-web appears as CSD3 (your username). If you already have the latter, and SSH to multi.hpc.cam.ac.uk tells you that TOTP is already configured, then the existing TOTP should work for both purposes.
You may now check the TOTP generation works by selecting the new account and entering the 6-digit number at the prompt. Alternatively, skip this step by entering -1.
A set of emergency one-time passcodes is then displayed, which will allow MFA to succeed on one occasion each if entered in place of the number generated by your app (e.g. if your phone is unavailable). Please copy these and keep them secure (the numbers displayed on the page here are of course examples only and useless):
You will not be required to enter a TOTP when logging into CSD3 until 1st November 2022.
Will I need to change my working practices?¶
People work in different ways, and the answer to this is “possibly”.
Adding a second factor to authentication definitely increases the work required to login, but not having the feature on CSD3 is no longer acceptable. The support team have been using MFA themselves for some time without issue.
Reducing the effort of MFA - connection sharing¶
If you make many separate connections per day to CSD3, then you may find yourself reaching for your phone many times. However it is possible to streamline this by multiplexing SSH connections, e.g. the following section in your ~/.ssh/config file would create an initial network connection (requiring MFA) to a login node, which subsequent SSH sessions (to the same login node) would reuse (so only one use of the mobile phone but possibly many sessions):
Host login*.hpc.cam.ac.uk ControlMaster auto ControlPath ~/.ssh/control-%C ControlPersist 900
(see the Control* directives in the ssh_config manual page for OpenSSH).
Note that once inside the cluster, it is possible to move laterally to other nodes without additional MFA. E.g. if you have a session already on login-e-1.hpc.cam.ac.uk but would like to use login-q-1.hpc.cam.ac.uk instead, then you can
- either start again and SSH from your local machine to login-q-1.hpc.cam.ac.uk (with another round of MFA)
- or you can simply type ssh login-q-1 from inside your original login-e-1 session.
In some cases (e.g. automated connections out of office hours) another solution may be required and the support desk will be able to help.
What should I do when I change my phone?¶
If you plan to change your phone, please consider transferring your TOTP secrets to your new device while you still have access to the old one. For example, the Google Authenticator app has a Transfer accounts option under its settings menu which provides a simple way of copying the secrets to the new device.
If you are passing on the old device to another person, you should perform a wipe to factory settings first.
If you lose your old device, or pass it on without wiping it, you will need to reset your MFA tokens - please see How do I reset my TOTP for SSH to CSD3?.
How do I reset my TOTP for SSH to CSD3?¶
If you need to reset your TOTP second factor, e.g. because you no longer have access to your original phone, please contact email@example.com. The TOTP second factor is an important protection against user account compromise, and an identity check is therefore needed when a request to replace it is received. This is similar to the existing process for resetting University passwords in a context where face to face identity checks are not feasible most of the time.
When contacting the service desk to request a reset of MFA, please be sure to send the email from the email address we have registered against your user account.
The service desk agent will arrange a time at which to hold a brief video call with you at which you will be asked to present photographic proof of identity in the form of one of the following:
- Driving licence
- University card (for members of the University of Cambridge).
Expired forms of the above are acceptable as proof of identity. Following completion of this check, the TOTP secret will be reset and you will be able to revisit multi.hpc.cam.ac.uk to repeat the setup procedure.
Frequently asked questions (FAQ)¶
I am unable to login to multi.hpc.cam.ac.uk and now I get “Connection refused”.
- Make sure you are using the same userid, password or public key as you would to login.hpc.cam.ac.uk. As with the login nodes, failing to authenticate three times in succession to multi will cause your address to be blocked for 20 minutes, so if this happens please wait this long before trying again.
I am using MS Authenticator but the TOTP code doesn’t work.
- If you still have the QR code and secret key on your screen then delete the account in your Authenticator and recreate it, making sure that the account is of the Other type (not Personal or Work). Otherwise please contact firstname.lastname@example.org to request reset of the MFA secret before trying again, and select account type Other.
When performing ssh to multi.hpc.cam.ac.uk the QR code is replaced either by garbage or is broken up by blank lines, making it unusable.
- Setting export LANG=en_GB.UTF-8 in Mac terminals before performing the ssh may stop this happening - however if this has already happened you will need to contact email@example.com to request reset of the MFA secret before trying again.
Connection sharing doesn’t work with Filezilla and I keep seeing TOTP requests during file transfers.
- Please prefer to use the RDS gateway rds.uis.cam.ac.uk for file transfers. This will request TOTP less frequently.
I don’t have a smart phone on which I can install an OATH-compliant TOTP app such as Google Authenticator, Microsoft Authenticator, Authy or FreeOTP.
- The proper solution for you is to ask your department to purchase an inexpensive OATH TOTP compatible token device.
- If you already have such a device and use it for login to another service, you will need a new device for use with CSD3 unless it supports multiple accounts.
- Any device needs to support 6 digit, SHA1 OATH TOTP with 30 seconds time interval, which non-programmable devices may well not do. In particular, please note that the SafeID/Classic model provided by the UIS for Microsoft services is known not to work with the Google style of TOTP used on CSD3.
- YubiKeys (used in conjunction with an application on phone, desktop or laptop) are known to work (although we have not been able to test all combinations of device and platform).
- Combinations of hardware token and platform which we have tested and are known to work are listed below (please note that these are not recommendations, merely examples which we have made to work):
- YubiKey 5Ci (has USB type C plug) with Microsoft Windows laptop or Android phone.
- Nitrokey Pro 2 (has USB type A plug) with Linux desktop.
- There will be others - if you identify a new token device which demonstrably works with CSD3, please let us know and we will list it here.