Two-factor authentication please read

Thu Feb 25 15:07:38 EST 2021

Gus thanks a bunch!

These are the kind of ideas I really appreciate. Updating documentation is
on my to-do list and this will be the very first thing to be added.  I wish
we still live in a ladies/gentlemen world but we don't. I really don't
enjoy turning knobs and making people do extra steps to do their daily
business.

Cheers,
Predrag

On Thu, Feb 25, 2021 at 2:53 PM Gus Welter <gwelter at andrew.cmu.edu> wrote:

> Some observations/ideas...
>
> I have this in my ~/.ssh/config file:
>
> Host lop1 lop2 bash
>     Hostname %h.autonlab.org
>     User gwelter
>     LocalForward 8080 git:80
> Host lov1 lov2 lov3 lov4 lov5 lov6 lov7 lov8 lov9 gpu1 gpu2 gpu3 gpu4 gpu5
> gpu6 gpu8 gpu9 gpu10 gpu11 gpu12 gpu13 gpu14 gpu15 gpu16 gpu17 gpu18 gpu19
> gpu20 gpu21 gpu22 gpu23 gaia ari athena foxconn low1 git
>     Hostname %h.int.autonlab.org
>     User gwelter
>     ProxyCommand ssh lop2 exec nc %h %p
>     LocalForward 8888 localhost:8888
>     LocalForward 8889 localhost:8889
>
> If I do "ssh lov3" (which per config above hops automatically in via
> lop2), the duo push happens automatically the menu prompt. Duo push also
> happens automatically with scp command fyi.
>
> Furthermore, if you add this to your ~/.ssh/config:
>
> Host *
>     ControlMaster auto
>     ControlPath ~/.ssh/master-%r@%h:%p
>     ControlPersist 180
>
> Once you establish a first ssh tunnel to a machine, subsequent ssh
> "connections" will hop over the already-established tunnel and thus you
> won't be prompted for duo authentication.
>
> E.g.:
> ssh lov3
> [duo push]
> ssh lov3 # in a separate terminal
> [no duo push]
>
> Best,
> Gus
>
>
> On Thu, Feb 25, 2021 at 12:47 PM Predrag Punosevac <
> predragp at andrew.cmu.edu> wrote:
>
>> Hi Jim,
>>
>> Majority of the lab infrastructure users are cloud based and don't have
>> the lab issued desktops. Safely distributing and more importantly
>> maintaining (keeping them safe) OpenVPN cryptographic credentials on the
>> client side would be even more challenging. I have no problem getting
>> OpenVPN cryptographic credentials to people who want to use it. However, I
>> will not support clients nor troubleshoot your home networks.
>> FYI we have used 2FA for several years now
>> for specific purpose and it worked as desired. You have an Auton Lab
>> desktop so I don't see how is this change affecting you in adversarial way.
>>
>> Cheers,
>> Predrag
>>
>>
>> On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:
>>
>>> We already have an Auton Lab VPN deployed that has worked fairly
>>> reliably for at least as long as I've been in the lab.  Why are we not
>>> building on this instead?  Were this built upon and provided to everyone in
>>> the lab rather than just having Predrag install credentials on the work
>>> desktops, all of the issues/concerns discussed would be moot (there would
>>> be other issues but I don't think that they would be show stoppers).
>>>
>>> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
>>> > Thank you Predrag, for trying to accommodate all our requests, while
>>> > keeping the security of our servers in mind.
>>> > I just wanted to +1 on Jim's comment. My workflow is in a similar
>>> situation
>>> > (requires a lot of ssh-ing), and it would be extremely convenient to
>>> > remember our devices for some duration.
>>> > Hoping that we converge to a solution that is a little more convenient.
>>> >
>>> > Best,
>>> > Biswajit
>>> >
>>> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
>>> predragp at andrew.cmu.edu>
>>> > wrote:
>>> >
>>> > > No. I don't control the Duo server. I am almost 95% sure that no to
>>> Jim
>>> > > and some other guys is due to the same reason. We use the same Duo
>>> server
>>> > > as CMU and their identity office is setting defaults. I have
>>> received 2
>>> > > dozen emails and it appears that I have more things to do than
>>> originally
>>> > > anticipated. It will take me a few weeks to clear the issues.
>>> > >
>>> > > P^2
>>> > >
>>> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>>> > >
>>> > >> Worked for me. I wonder, since there’s only one option (duo push)
>>> can
>>> > >> that be selected automatically? I know I’m being lazy asking you to
>>> save us
>>> > >> two keystrokes, but…. I’m lazy. :-)
>>> > >>
>>> > >>
>>> > >> - Anthony
>>> > >>
>>> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
>>> predragp at andrew.cmu.edu>
>>> > >> escribió:
>>> > >>
>>> > >> Dear Autonians,
>>> > >>
>>> > >> The times of password login or even passwordless with ssh keys are
>>> going
>>> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very
>>> few
>>> > >> services at Carnegie Mellon University which can be accessed with a
>>> simple
>>> > >> password. Shortly this is no longer going to be true. I have just
>>> turned on
>>> > >> 2FA on
>>> > >>
>>> > >> lop2.autonlab.org
>>> > >>
>>> > >> and I will do it shortly on two other shell gateways. ssh access to
>>> the
>>> > >> Auton Lab desktops is restricted only to their rightful owners so
>>> 2FA can
>>> > >> wait a bit on personal desktops.
>>> > >>
>>> > >> At this point, I will need to ask everyone with a valid AndrewID or
>>> even
>>> > >> with an alumni account to log into lop2.autonlab.org and make sure
>>> 2FA
>>> > >> works for you. If you can read your Andrew emails via a browser you
>>> should
>>> > >> not have any problems accessing the Auton Cluster with the same
>>> mobile
>>> > >> device. If I don't hear back from you in the next 7 days I will
>>> assume that
>>> > >> you are dandy and turn on 2FA on all our shell gateways.
>>> > >>
>>> > >> If your username is for some reason different than Andrew's ID we
>>> have to
>>> > >> fix that (I am looking at you interns who became CMU grad
>>> students). There
>>> > >> are in total 18 external accounts presumably without corresponding
>>> Andrew
>>> > >> ID and I have the green light from sponsoring faculty to close most
>>> of
>>> > >> those accounts. This is your last chance to access the system and
>>> get your
>>> > >> belongings before I store them for safekeeping.
>>> > >>
>>> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
>>> GUI
>>> > >> access. I have little incentive to troubleshoot it as you can use
>>> reverse
>>> > >> SSH proxy per our documentation
>>> > >>
>>> > >>
>>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>>> > >>
>>> > >> for GUI or Gogs access.
>>> > >>
>>> > >> At this point, we have no intention to turn on 2FA inside the Lab
>>> or to
>>> > >> require 2FA authentication for Version Control Server. Those things
>>> are
>>> > >> located inside the outer perimeter firewall and have satisfactory
>>> security
>>> > >> protection.
>>> > >>
>>> > >> Most Kind Regards,
>>> > >> Predrag Punosevac
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> >
>>> > --
>>> > Biswajit Paria
>>> > PhD student
>>> > Machine Learning Department
>>> > Carnegie Mellon University
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ae731ab0/attachment.html>