You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the Cineca HPC systems (currently mandatory to access Leonardo) only after successfully presenting two pieces of evidence (or factors). Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password. Two-factor authentication (hereafter 2FA) therefore adds a further level of security to the authentication for access to services based on the Identity Provider.

The new access mode proposed is entirely transparent to the user, who continues to use the ssh client as usual. At the first connection attempt, a web page will be automatically opened on the browser and the user will be asked to authenticate to our Identity Provider by inserting a One-Time Password (OTP). Once authentication has taken place, the server will issue a timed certificate which can be used to connect to Cineca systems via SSH client. The certificate is valid for 12 hours after the authentication. At the end of the validity, user will need to authenticate again with 2FA.

First access

If this is the first access and you need to activate the 2FA following the below steps:

After your first access, you can manage from our Identity Provider website (https://sso.hpc.cineca.it) all the issues related to the authentication to our CINECA clusters. For example:

  • reset password
  • re-configure the OTP on your smartphone
  • renew the Recovery Authentications codes

Access to the systems

If you have already activated the 2FA and configured the smallstep client, and you have downloaded the temporary certificate you can login to the CINECA cluster via the usual ssh protocol

ssh <username>@login.<cluster>.cineca.it

You will be directly logged into the cluster without having to insert the password.

If you would like to connect via Remote Connection Manager (RCM) once downloaded the temporary certificate, as for the ssh login, you can login following the same instructions as before with the exception that you don't have to insert the password in the login page.


Table of contents:

  • No labels