You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »


Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the Cineca HPC systems (currently mandatory to access Leonardo) only after successfully presenting two pieces of evidence (or factors). Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password. Two-factor authentication (hereafter 2FA) therefore adds a further level of security to the authentication for access to services based on the Identity Provider.

The new access mode proposed is entirely transparent for the user, who continues to use the ssh client as usual. During the first connection, the user will see a web page open in his browser where she/he will authenticate to our Identity Provider. Once authentication has taken place, the server will issue a timed certificate which can be used to connect to Cineca systems via SSH client.

First access - How to activate the 2FA and configure the OTP


In order to enable the 2FA you need to authenticate on this page https://sso.hpc.cineca.it using username and password you use to connect to CINECA clusters.

At the first login you will be forced to verify your email, change the password and configure your OTP (One-Time Passowrd) code that will be requested in addition to the password when loggin in to our clusters (where 2FA has been forced as the only way to access).

Qui ci vorrebbe una verifica pratica che la sequenza è quella e prendere qualche snapshot da mettere e qualche frasetta di spiegazione.

< i documenti che ha mandato Max sono pieni di immagini per spiegare i passaggi, possiamo usare quelli>

How to install the client

To obtain the smallstep executable and install it, users can go to https://smallstep.com/docs/step-cli/installation following the indication reported for your operating systems or download the executable available in the following Git repository: https://github.com/smallstep/cli/releases/tag/v0.23.0 .

ATTENTION: the users with Ubuntu operating systems should not run the command "sudo apt install step", this will install a different software, not smallstep.

In order to configure the smallstep client the steps reported at the following pages considering the operating systems on your PC:

  1. Setup client step-cli: Linux users
  2. Step client step-cli: Mac users
  3. Step client step-cli: Windows users


Access to the systems

  •  How to get the daily certificate

To obtain your daily certificate run:

$ eval $(ssh-agent)Only WINDOWS users

$ step ssh login '<user-email>' --provisioner cineca-hpc

This will open an external windows where the user should write his/her HPC access credentials.

  • Access via Secure Shell (SSH)
    The Secure Shell protocol allows data to be exchanged over a secure channel between two computers. SSH is typically used for logging into a remote machine and executing commands (remote console), but it can also be used to run programs and transfer files. 

    The access is done via one of the following commands:

    ssh <username>@login.marconi.cineca.it
    ssh <username>@login.m100.cineca.it
    ssh <username>@login.g100.cineca.it

    depending on which cluster you have the account. You can use option -X to enable X11 display forwarding.

    All the systems share the same username/password.

  • No labels