You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »


Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the Cineca HPC systems (currently mandatory to access Leonardo) only after successfully presenting two pieces of evidence (or factors). Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password. Two-factor authentication (hereafter 2FA) therefore adds a further level of security to the authentication for access to services based on the Identity Provider.

The new access mode proposed is entirely transparent to the user, who continues to use the ssh client as usual. At the first connection attempt, a web page will be automatically opened on the browser and the user will be asked to authenticate to our Identity Provider by inserting a One-Time Password (OTP). Once authentication has taken place, the server will issue a timed certificate which can be used to connect to Cineca systems via SSH client. The certificate is valid for 8 hours after the authentication. At the end of the validity, user will need to authenticate again with 2FA.

Check che dura 8 ore davvero


Frasetta per includere il primo accesso

How to install the smallstep client

Once the 2FA will be enabled as the only method to authenticate on CINECA clusters, you will need to install and configure on your PC a program that allows you to authenticate via 2FA and to download locally the temporary certificate. At CINECA we suggest to use smallstep client.

To obtain the smallstep executable and install it, users can go to the smallstep website and follow the installation steps reported for several operating systems.
In alternative, users can download the executable available in the GitHub repository.

IMPORTANT: users with Ubuntu operating systems (but may happen also for other Linux distributions) should not run the command "sudo apt install step" because this will install a different software that will give errors when following the below instructions.

Once installed, users need to configure smallstep. Instructions depends on the operating systems on your PC:

  1. Setup client step-cli: Linux users
  2. Step client step-cli: Mac users
  3. Step client step-cli: Windows users

Access to the systems

Now that you have correctly configured the 2FA and the smallstep client, and you have downloaded the temporary certificate you can login to the CINECA cluster via the usual ssh protocol

ssh <username>@login.<cluster>.cineca.it

You will be directly logged into the cluster without having to insert the password.

If you would like to connect via Remote Connection Manager (RCM) once downloaded the temporary certificate, as for the ssh login, you can login following the same instructions as before with the exception that you don't have to insert the password in the login page.

  • No labels