Two-factor authentication please read

Gus Welter gwelter at andrew.cmu.edu
Thu Feb 25 14:52:06 EST 2021 

Some observations/ideas...

I have this in my ~/.ssh/config file:

Host lop1 lop2 bash
    Hostname %h.autonlab.org
    User gwelter
    LocalForward 8080 git:80
Host lov1 lov2 lov3 lov4 lov5 lov6 lov7 lov8 lov9 gpu1 gpu2 gpu3 gpu4 gpu5
gpu6 gpu8 gpu9 gpu10 gpu11 gpu12 gpu13 gpu14 gpu15 gpu16 gpu17 gpu18 gpu19
gpu20 gpu21 gpu22 gpu23 gaia ari athena foxconn low1 git
    Hostname %h.int.autonlab.org
    User gwelter
    ProxyCommand ssh lop2 exec nc %h %p
    LocalForward 8888 localhost:8888
    LocalForward 8889 localhost:8889

If I do "ssh lov3" (which per config above hops automatically in via lop2),
the duo push happens automatically the menu prompt. Duo push also happens
automatically with scp command fyi.

Furthermore, if you add this to your ~/.ssh/config:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    ControlPersist 180

Once you establish a first ssh tunnel to a machine, subsequent ssh
"connections" will hop over the already-established tunnel and thus you
won't be prompted for duo authentication.

E.g.:
ssh lov3
[duo push]
ssh lov3 # in a separate terminal
[no duo push]

Best,
Gus


On Thu, Feb 25, 2021 at 12:47 PM Predrag Punosevac <predragp at andrew.cmu.edu>
wrote:

> Hi Jim,
>
> Majority of the lab infrastructure users are cloud based and don't have
> the lab issued desktops. Safely distributing and more importantly
> maintaining (keeping them safe) OpenVPN cryptographic credentials on the
> client side would be even more challenging. I have no problem getting
> OpenVPN cryptographic credentials to people who want to use it. However, I
> will not support clients nor troubleshoot your home networks.
> FYI we have used 2FA for several years now
> for specific purpose and it worked as desired. You have an Auton Lab
> desktop so I don't see how is this change affecting you in adversarial way.
>
> Cheers,
> Predrag
>
>
> On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:
>
>> We already have an Auton Lab VPN deployed that has worked fairly reliably
>> for at least as long as I've been in the lab.  Why are we not building on
>> this instead?  Were this built upon and provided to everyone in the lab
>> rather than just having Predrag install credentials on the work desktops,
>> all of the issues/concerns discussed would be moot (there would be other
>> issues but I don't think that they would be show stoppers).
>>
>> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
>> > Thank you Predrag, for trying to accommodate all our requests, while
>> > keeping the security of our servers in mind.
>> > I just wanted to +1 on Jim's comment. My workflow is in a similar
>> situation
>> > (requires a lot of ssh-ing), and it would be extremely convenient to
>> > remember our devices for some duration.
>> > Hoping that we converge to a solution that is a little more convenient.
>> >
>> > Best,
>> > Biswajit
>> >
>> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
>> predragp at andrew.cmu.edu>
>> > wrote:
>> >
>> > > No. I don't control the Duo server. I am almost 95% sure that no to
>> Jim
>> > > and some other guys is due to the same reason. We use the same Duo
>> server
>> > > as CMU and their identity office is setting defaults. I have received
>> 2
>> > > dozen emails and it appears that I have more things to do than
>> originally
>> > > anticipated. It will take me a few weeks to clear the issues.
>> > >
>> > > P^2
>> > >
>> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>> > >
>> > >> Worked for me. I wonder, since there’s only one option (duo push) can
>> > >> that be selected automatically? I know I’m being lazy asking you to
>> save us
>> > >> two keystrokes, but…. I’m lazy. :-)
>> > >>
>> > >>
>> > >> - Anthony
>> > >>
>> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
>> predragp at andrew.cmu.edu>
>> > >> escribió:
>> > >>
>> > >> Dear Autonians,
>> > >>
>> > >> The times of password login or even passwordless with ssh keys are
>> going
>> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very
>> few
>> > >> services at Carnegie Mellon University which can be accessed with a
>> simple
>> > >> password. Shortly this is no longer going to be true. I have just
>> turned on
>> > >> 2FA on
>> > >>
>> > >> lop2.autonlab.org
>> > >>
>> > >> and I will do it shortly on two other shell gateways. ssh access to
>> the
>> > >> Auton Lab desktops is restricted only to their rightful owners so
>> 2FA can
>> > >> wait a bit on personal desktops.
>> > >>
>> > >> At this point, I will need to ask everyone with a valid AndrewID or
>> even
>> > >> with an alumni account to log into lop2.autonlab.org and make sure
>> 2FA
>> > >> works for you. If you can read your Andrew emails via a browser you
>> should
>> > >> not have any problems accessing the Auton Cluster with the same
>> mobile
>> > >> device. If I don't hear back from you in the next 7 days I will
>> assume that
>> > >> you are dandy and turn on 2FA on all our shell gateways.
>> > >>
>> > >> If your username is for some reason different than Andrew's ID we
>> have to
>> > >> fix that (I am looking at you interns who became CMU grad students).
>> There
>> > >> are in total 18 external accounts presumably without corresponding
>> Andrew
>> > >> ID and I have the green light from sponsoring faculty to close most
>> of
>> > >> those accounts. This is your last chance to access the system and
>> get your
>> > >> belongings before I store them for safekeeping.
>> > >>
>> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
>> GUI
>> > >> access. I have little incentive to troubleshoot it as you can use
>> reverse
>> > >> SSH proxy per our documentation
>> > >>
>> > >>
>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>> > >>
>> > >> for GUI or Gogs access.
>> > >>
>> > >> At this point, we have no intention to turn on 2FA inside the Lab or
>> to
>> > >> require 2FA authentication for Version Control Server. Those things
>> are
>> > >> located inside the outer perimeter firewall and have satisfactory
>> security
>> > >> protection.
>> > >>
>> > >> Most Kind Regards,
>> > >> Predrag Punosevac
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> >
>> > --
>> > Biswajit Paria
>> > PhD student
>> > Machine Learning Department
>> > Carnegie Mellon University
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/8391e82d/attachment-0001.html>

More information about the Autonlab-users mailing list