Two-factor authentication please read

Jim Leonard jim at xuth.net
Wed Feb 24 22:32:32 EST 2021 

Can there be some means of making it so that subsequent logins for some duration from the same IP don't require more duo acknowlegements?  This will make using git.int.autonlab.org or similar more difficult from anything other than our work desktops because most of us just use netcat scripts that handle the multiple hops in our .ssh files.  Unless you have some suggested better means of doing this.  Alternately providing a means that anyone in the lab can use to get any of our machines onto the VPN so we can access the machines directly without doing the multiple hops.

On Wed, Feb 24, 2021 at 07:01:28PM -0500, Predrag Punosevac wrote:
> Dear Autonians,
> 
> The times of password login or even passwordless with ssh keys are going
> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> services at Carnegie Mellon University which can be accessed with a simple
> password. Shortly this is no longer going to be true. I have just turned on
> 2FA on
> 
> lop2.autonlab.org
> 
> and I will do it shortly on two other shell gateways. ssh access to the
> Auton Lab desktops is restricted only to their rightful owners so 2FA can
> wait a bit on personal desktops.
> 
> At this point, I will need to ask everyone with a valid AndrewID or even
> with an alumni account to log into lop2.autonlab.org and make sure 2FA
> works for you. If you can read your Andrew emails via a browser you should
> not have any problems accessing the Auton Cluster with the same mobile
> device. If I don't hear back from you in the next 7 days I will assume that
> you are dandy and turn on 2FA on all our shell gateways.
> 
> If your username is for some reason different than Andrew's ID we have to
> fix that (I am looking at you interns who became CMU grad students). There
> are in total 18 external accounts presumably without corresponding Andrew
> ID and I have the green light from sponsoring faculty to close most of
> those accounts. This is your last chance to access the system and get your
> belongings before I store them for safekeeping.
> 
> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> access. I have little incentive to troubleshoot it as you can use reverse
> SSH proxy per our documentation
> 
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> 
> for GUI or Gogs access.
> 
> At this point, we have no intention to turn on 2FA inside the Lab or to
> require 2FA authentication for Version Control Server. Those things are
> located inside the outer perimeter firewall and have satisfactory security
> protection.
> 
> Most Kind Regards,
> Predrag Punosevac

More information about the Autonlab-users mailing list