Two-Factor Authentication (2fa)
Predrag Punosevac
predragp at andrew.cmu.edu
Wed Jun 27 15:32:00 EDT 2018
Dear Autonians,
I would like to give you heads up regarding incoming changes in how you
log remotely using ssh into the Auton Lab machines.
As you know Internet is becoming one large cyber battlefield and we will
have to take things to the next level. Before the beginning of the Fall
semester I will enable DuoUnix Two-Factor Authentication (2fa) on our
gateways as well as force people to use ssh-keys instead of passwords
(unfortunately I can't enforce password protected ssh-keys which you
should do anyway).
https://duo.com/docs/duounix
I have already acquired Integration key, Secret Key, and API Hostname
from the School of Computer Science as they cost $3-$5 per user per
month depending on the service level when purchased directly from the
company. I have already tested them and it works like a charm. However
both the users and I (your system admin) will have to do few things
before I can turn on 2fa.
You are probably doing this already but if you have not done it before
you will have to register your smartphone or tablet
https://www.cmu.edu/computing/services/security/identity-access/authentication/how-to/2fa-register.html
In order to do that you will have to have valid CMU card (students,
faculty, and staff). That will create an immediate problem with the
Auton Lab affiliates which don't have CMU affiliation. I will have to
think how to resolve that problem (possibly creating less secure gateway
just for those users). I know that some of you have opted out for the
school provided devices instead of installing Dou Mobile applet. I am
not in position to accommodate such requests and in reality your smart
phone is already a spyware. If you don't install Duo Mobile applet you
will have physically come to school and use one of our desktops
(although I am not sure how long you will have to be able to use them
without CAC).
On my side I have to make sure that all usernames and e-mail addresses
in the Auton Lab LDAP database are exactly the same as your CMU Andrew
userid. I know at least one Auton Lab account holder (me) whose Andrew
userid was different (until today) than his Auton Lab userid.
Thank you for your kind cooperation and patience with this matter.
Sincerely,
Predrag Punosevac
More information about the Autonlab-users
mailing list