Two-factor authentication please read

Wed Feb 24 22:50:57 EST 2021

Hi Jim,

I hope you are doing well. You are not the first one to ask. I am
forwarding my original response to a similar question to the mailing list.

"I don't think so but this is still in such an early stage that I am just
speculating. I am fully aware that some corner cases will have to be
encountered and resolved eventually. CMU VPN has nothing to do with us. We
have our own perimeter firewall and consider the rest of the CMU network
hostile. ssh is a poor man VPN and we did evaluate a bunch of VPN
technologies besides ssh. TL:TW. They all appear to be significantly more
involving than what we use now. "

And just to add to the above answer. We could even spend thousands of
dollars for Cisco AnyConnect proprietary appliance as NREC did and you will
still have to use your phone for 2FA challenge.  I do when I log into the
NREC. There is no way around it. Our main adversaries are bitcoin mining
guys. They could care less about anything we do. They want our expensive
computing nodes for cryptocurrency mining. Microsoft guys came up with our
paper and they are advocating 3FA. You need to respond to the
challenging question (last 4 digits of your cell phone) before they send
you a security token if you want to login into hotmail.

Cheers,
Predrag

On Wed, Feb 24, 2021 at 10:32 PM Jim Leonard <jim at xuth.net> wrote:

> Can there be some means of making it so that subsequent logins for some
> duration from the same IP don't require more duo acknowlegements?  This
> will make using git.int.autonlab.org or similar more difficult from
> anything other than our work desktops because most of us just use netcat
> scripts that handle the multiple hops in our .ssh files.  Unless you have
> some suggested better means of doing this.  Alternately providing a means
> that anyone in the lab can use to get any of our machines onto the VPN so
> we can access the machines directly without doing the multiple hops.
>
> On Wed, Feb 24, 2021 at 07:01:28PM -0500, Predrag Punosevac wrote:
> > Dear Autonians,
> >
> > The times of password login or even passwordless with ssh keys are going
> > the way of the dinosaurs. The Auton Lab cluster is one of the very few
> > services at Carnegie Mellon University which can be accessed with a
> simple
> > password. Shortly this is no longer going to be true. I have just turned
> on
> > 2FA on
> >
> > lop2.autonlab.org
> >
> > and I will do it shortly on two other shell gateways. ssh access to the
> > Auton Lab desktops is restricted only to their rightful owners so 2FA can
> > wait a bit on personal desktops.
> >
> > At this point, I will need to ask everyone with a valid AndrewID or even
> > with an alumni account to log into lop2.autonlab.org and make sure 2FA
> > works for you. If you can read your Andrew emails via a browser you
> should
> > not have any problems accessing the Auton Cluster with the same mobile
> > device. If I don't hear back from you in the next 7 days I will assume
> that
> > you are dandy and turn on 2FA on all our shell gateways.
> >
> > If your username is for some reason different than Andrew's ID we have to
> > fix that (I am looking at you interns who became CMU grad students).
> There
> > are in total 18 external accounts presumably without corresponding Andrew
> > ID and I have the green light from sponsoring faculty to close most of
> > those accounts. This is your last chance to access the system and get
> your
> > belongings before I store them for safekeeping.
> >
> > There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> > access. I have little incentive to troubleshoot it as you can use reverse
> > SSH proxy per our documentation
> >
> > https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> >
> > for GUI or Gogs access.
> >
> > At this point, we have no intention to turn on 2FA inside the Lab or to
> > require 2FA authentication for Version Control Server. Those things are
> > located inside the outer perimeter firewall and have satisfactory
> security
> > protection.
> >
> > Most Kind Regards,
> > Predrag Punosevac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210224/2b474ecb/attachment-0001.html>