Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the Cineca HPC systems (currently mandatory to access Leonardo) only after successfully presenting two pieces of evidence (or factors). Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password. Two-factor authentication (hereafter 2FA) therefore adds a further level of security to the authentication for access to services based on the Identity Provider.

The new access mode proposed is entirely transparent to the user, who continues to use the ssh client as usual. At the first connection attempt, a web page will be automatically opened on the browser and the user will be asked to authenticate to our Identity Provider by inserting a One-Time Password (OTP). Once authentication has taken place, the server will issue a timed certificate which can be used to connect to Cineca systems via SSH client. The certificate is valid for 12 hours after the authentication. At the end of the validity, user will need to authenticate again with 2FA.

Frasetta per includere il primo accesso

Access to the systems

Now that you have correctly configured the 2FA and the smallstep client, and you have downloaded the temporary certificate you can login to the CINECA cluster via the usual ssh protocol

ssh <username>@login.<cluster>.cineca.it

You will be directly logged into the cluster without having to insert the password.

If you would like to connect via Remote Connection Manager (RCM) once downloaded the temporary certificate, as for the ssh login, you can login following the same instructions as before with the exception that you don't have to insert the password in the login page.