Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the Cineca HPC systems (currently mandatory to access Leonardo) only after successfully presenting two pieces of evidence (or factors). Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password. Two-factor authentication (hereafter 2FA) therefore adds a further level of security to the authentication for access to services based on the Identity Provider.
The new access mode proposed is entirely transparent to the user, who continues to use the ssh client as usual. At the first connection attempt, a web page will be automatically opened on the browser and the user will be asked to authenticate to our Identity Provider by inserting a One-Time Password (OTP). Once authentication has taken place, the server will issue a timed certificate which can be used to connect to Cineca systems via SSH client. The certificate is valid for 8 hours after the authentication. At the end of the validity, user will need to authenticate again with 2FA.
Check che dura 8 ore davvero
First access - How to activate the 2FA and configure the OTP
In order to enable the 2FA you need to authenticate on this page https://sso.hpc.cineca.it using username and password you use to connect to CINECA clusters.
At the first login you will be forced to verify your email, change the password and configure your One-Time Passwrd (hereafter OTP) code that will be requested in addition to the password when loggin into our clusters (where 2FA has been forced as the only way to access).
Mettere immagine con testo in inglese
By clicking on "Click here to continue" you will be asked to insert a new password. You can find here the password policies.
Mettere anche qui immagine con testo in inglese
After the definition of a new valid password (that will replace the password used to login to our CINECA clusters), you will be asked to configure the 2FA following the steps described in the page.
Immagine con testo in inglese
It can be used either FreeOTP or Google Authenticator or any other App to generate authentication codes. If you don't have already it, you need to download one of them on your Smartphone.
Once installed, you can use it to scan the QR code shown in the above page and the 2FA will be automatically configured. For example on Google authenticator...
Mettere alcune immagini che mostrano cosa cliccare sul cellulare per scannerizzare il QR code
As a final step, user will be asked to insert the 6 digits code that appears on the App to verify the correct configuration.
If you have multiple OTP defined on the App, the correct one has the name "CINECA HPC: <your username>".
Mettere due immagini
Once verified the correct configuration the following page will show you the Recovery codes.
Please save these codes somewhere by downloading, printing or copying in a text file.
These codes are requested to the user in case of problems in the OTP configuration (issue with the app or smartphone lost) so they are very important.
In the final page you will be asked to update your profile by inserting Name and Surname
Mettere immagine in inglese
In case every step is successful a confirmation page will be shown.
Mettere immagine in inglese
Manca la parte relativa alla verifica dell'email
Menzionare cosa utilizzare in caso non si abbia uno smartphone
How to install the smallstep client
Once the 2FA will be enabled as the only method to authenticate on CINECA clusters, you will need to install and configure on your PC a program that allows you to authenticate via 2FA and to download locally the temporary certificate. At CINECA we suggest to use smallstep client.
To obtain the smallstep executable and install it, users can go to the smallstep website and follow the installation steps reported for several operating systems.
In alternative, users can download the executable available in the GitHub repository.
IMPORTANT: users with Ubuntu operating systems (but may happen also for other Linux distributions) should not run the command "sudo apt install step" because this will install a different software that will give errors when following the below instructions.
Once installed, users need to configure smallstep. Instructions depends on the operating systems on your PC:
- Setup client step-cli: Linux users
- Step client step-cli: Mac users
- Step client step-cli: Windows users
Access to the systems
Now that you have correctly configured the 2FA and the smallstep client, the following procedure will indicate you how to connect to the CINECA clusters using the 2FA.
Obtain the temporary certificate
On Linux or MAC
Just open a terminal and run the following command
step ssh login '<your registered email>' --provisioner cineca-hpc
- How to get the daily certificate
To obtain your daily certificate run:
$ eval $(ssh-agent) → Only WINDOWS users
$ step ssh login '<user-email>' --provisioner cineca-hpc
This will open an external windows where the user should write his/her HPC access credentials.
To verify the certificate version and how long it will last, run:
$ step ssh list
$ step ssh list --raw 'user-email' | step ssh inspect step
- Access via Secure Shell (SSH)
The Secure Shell protocol allows data to be exchanged over a secure channel between two computers. SSH is typically used for logging into a remote machine and executing commands (remote console), but it can also be used to run programs and transfer files.The access is done via one of the following commands:
ssh <username>@login.marconi.cineca.it
ssh <username>@login.m100.cineca.it
ssh <username>@login.g100.cineca.itdepending on which cluster you have the account. You can use option -X to enable X11 display forwarding.
All the systems share the same username/password.