Two-factor authentication please read

Thu Feb 25 11:14:46 EST 2021

Thank you Predrag, for trying to accommodate all our requests, while
keeping the security of our servers in mind.
I just wanted to +1 on Jim's comment. My workflow is in a similar situation
(requires a lot of ssh-ing), and it would be extremely convenient to
remember our devices for some duration.
Hoping that we converge to a solution that is a little more convenient.

Best,
Biswajit

On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <predragp at andrew.cmu.edu>
wrote:

> No. I don't control the Duo server. I am almost 95% sure that no to Jim
> and some other guys is due to the same reason. We use the same Duo server
> as CMU and their identity office is setting defaults. I have received 2
> dozen emails and it appears that I have more things to do than originally
> anticipated. It will take me a few weeks to clear the issues.
>
> P^2
>
> On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>
>> Worked for me. I wonder, since there’s only one option (duo push) can
>> that be selected automatically? I know I’m being lazy asking you to save us
>> two keystrokes, but…. I’m lazy. :-)
>>
>>
>> - Anthony
>>
>> El feb. 24, 2021, a las 19:01, Predrag Punosevac <predragp at andrew.cmu.edu>
>> escribió:
>>
>> Dear Autonians,
>>
>> The times of password login or even passwordless with ssh keys are going
>> the way of the dinosaurs. The Auton Lab cluster is one of the very few
>> services at Carnegie Mellon University which can be accessed with a simple
>> password. Shortly this is no longer going to be true. I have just turned on
>> 2FA on
>>
>> lop2.autonlab.org
>>
>> and I will do it shortly on two other shell gateways. ssh access to the
>> Auton Lab desktops is restricted only to their rightful owners so 2FA can
>> wait a bit on personal desktops.
>>
>> At this point, I will need to ask everyone with a valid AndrewID or even
>> with an alumni account to log into lop2.autonlab.org and make sure 2FA
>> works for you. If you can read your Andrew emails via a browser you should
>> not have any problems accessing the Auton Cluster with the same mobile
>> device. If I don't hear back from you in the next 7 days I will assume that
>> you are dandy and turn on 2FA on all our shell gateways.
>>
>> If your username is for some reason different than Andrew's ID we have to
>> fix that (I am looking at you interns who became CMU grad students). There
>> are in total 18 external accounts presumably without corresponding Andrew
>> ID and I have the green light from sponsoring faculty to close most of
>> those accounts. This is your last chance to access the system and get your
>> belongings before I store them for safekeeping.
>>
>> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
>> access. I have little incentive to troubleshoot it as you can use reverse
>> SSH proxy per our documentation
>>
>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>>
>> for GUI or Gogs access.
>>
>> At this point, we have no intention to turn on 2FA inside the Lab or to
>> require 2FA authentication for Version Control Server. Those things are
>> located inside the outer perimeter firewall and have satisfactory security
>> protection.
>>
>> Most Kind Regards,
>> Predrag Punosevac
>>
>>
>>
>>
>>

-- 
Biswajit Paria
PhD student
Machine Learning Department
Carnegie Mellon University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ede3704f/attachment-0001.html>