Two-factor authentication please read

Thu Feb 25 12:45:45 EST 2021

Hi Jim,

Majority of the lab infrastructure users are cloud based and don't have the
lab issued desktops. Safely distributing and more importantly maintaining
(keeping them safe) OpenVPN cryptographic credentials on the client side
would be even more challenging. I have no problem getting OpenVPN
cryptographic credentials to people who want to use it. However, I will not
support clients nor troubleshoot your home networks.
FYI we have used 2FA for several years now
for specific purpose and it worked as desired. You have an Auton Lab
desktop so I don't see how is this change affecting you in adversarial way.

Cheers,
Predrag

On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:

> We already have an Auton Lab VPN deployed that has worked fairly reliably
> for at least as long as I've been in the lab.  Why are we not building on
> this instead?  Were this built upon and provided to everyone in the lab
> rather than just having Predrag install credentials on the work desktops,
> all of the issues/concerns discussed would be moot (there would be other
> issues but I don't think that they would be show stoppers).
>
> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
> > Thank you Predrag, for trying to accommodate all our requests, while
> > keeping the security of our servers in mind.
> > I just wanted to +1 on Jim's comment. My workflow is in a similar
> situation
> > (requires a lot of ssh-ing), and it would be extremely convenient to
> > remember our devices for some duration.
> > Hoping that we converge to a solution that is a little more convenient.
> >
> > Best,
> > Biswajit
> >
> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
> predragp at andrew.cmu.edu>
> > wrote:
> >
> > > No. I don't control the Duo server. I am almost 95% sure that no to Jim
> > > and some other guys is due to the same reason. We use the same Duo
> server
> > > as CMU and their identity office is setting defaults. I have received 2
> > > dozen emails and it appears that I have more things to do than
> originally
> > > anticipated. It will take me a few weeks to clear the issues.
> > >
> > > P^2
> > >
> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
> > >
> > >> Worked for me. I wonder, since there’s only one option (duo push) can
> > >> that be selected automatically? I know I’m being lazy asking you to
> save us
> > >> two keystrokes, but…. I’m lazy. :-)
> > >>
> > >>
> > >> - Anthony
> > >>
> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
> predragp at andrew.cmu.edu>
> > >> escribió:
> > >>
> > >> Dear Autonians,
> > >>
> > >> The times of password login or even passwordless with ssh keys are
> going
> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> > >> services at Carnegie Mellon University which can be accessed with a
> simple
> > >> password. Shortly this is no longer going to be true. I have just
> turned on
> > >> 2FA on
> > >>
> > >> lop2.autonlab.org
> > >>
> > >> and I will do it shortly on two other shell gateways. ssh access to
> the
> > >> Auton Lab desktops is restricted only to their rightful owners so 2FA
> can
> > >> wait a bit on personal desktops.
> > >>
> > >> At this point, I will need to ask everyone with a valid AndrewID or
> even
> > >> with an alumni account to log into lop2.autonlab.org and make sure
> 2FA
> > >> works for you. If you can read your Andrew emails via a browser you
> should
> > >> not have any problems accessing the Auton Cluster with the same mobile
> > >> device. If I don't hear back from you in the next 7 days I will
> assume that
> > >> you are dandy and turn on 2FA on all our shell gateways.
> > >>
> > >> If your username is for some reason different than Andrew's ID we
> have to
> > >> fix that (I am looking at you interns who became CMU grad students).
> There
> > >> are in total 18 external accounts presumably without corresponding
> Andrew
> > >> ID and I have the green light from sponsoring faculty to close most of
> > >> those accounts. This is your last chance to access the system and get
> your
> > >> belongings before I store them for safekeeping.
> > >>
> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
> GUI
> > >> access. I have little incentive to troubleshoot it as you can use
> reverse
> > >> SSH proxy per our documentation
> > >>
> > >>
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> > >>
> > >> for GUI or Gogs access.
> > >>
> > >> At this point, we have no intention to turn on 2FA inside the Lab or
> to
> > >> require 2FA authentication for Version Control Server. Those things
> are
> > >> located inside the outer perimeter firewall and have satisfactory
> security
> > >> protection.
> > >>
> > >> Most Kind Regards,
> > >> Predrag Punosevac
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> > --
> > Biswajit Paria
> > PhD student
> > Machine Learning Department
> > Carnegie Mellon University
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ca299bcd/attachment.html>