Difference between revisions of "Authentication With MFA"

From UFRC
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Note | Effective October 18, 2021, Research Computing will require Multi-Factor Authentication for access to HiPerGator|warn}}
+
{|align=right
 
+
  |__TOC__
 
+
  |}
=== Why is This Happening? ===
+
UF is a high-value target for attacks designed to steal research data and intellectual discoveries. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials, such as your mobile device. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate. You will need to [https://it.ufl.edu/2fa/ sign up for Duo Authentication].
 
 
UF is a high-value target for attacks designed to steal research data and intellectual discoveries. This change is part of our ongoing efforts to strengthen the university’s security posture. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials. Think of the username and password as something that you ''know'' and a second factor as something you ''have'' e.g. a mobile device with a DUO app that MFA can 'push' a request to confirm your login to or a phone number MFA can call. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate.
 
  
 
=== How Does This Change the User Experience? ===
 
=== How Does This Change the User Experience? ===
 
+
Users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the [https://account.it.ufl.edu/2FA/enrollDevice My Two-Factor page] . Anyone who has used other UF services, like myUFL or ONE.UF, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.
Once implemented, users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the [https://account.it.ufl.edu/2FA/enrollDevice My Two-Factor page] . Anyone who has used other UF services, like myUFL or ONE.UF, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.
 
 
 
[[File:SSH w MFA.png|frameless|right|SSH with MFA video screenshot | link = "https://mediasite.video.ufl.edu/Mediasite/Play/b475e2428e0445138d76b31106c029f51d"]]
 
  
 
The [https://mediasite.video.ufl.edu/Mediasite/Play/b475e2428e0445138d76b31106c029f51d short video here] demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.
 
The [https://mediasite.video.ufl.edu/Mediasite/Play/b475e2428e0445138d76b31106c029f51d short video here] demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.
 
=== What if I Don't have Duo MFA Enabled? ===
 
 
If your account is not registered with UF's Duo MFA service, you will see an error like this:
 
We're sorry, access is not allowed because you are not enrolled. Please contact your organization's IT help desk for assistance.
 
You will need to [https://it.ufl.edu/2fa/ sign up for Duo Authentication].
 
  
 
===Using MFA with GUI SFTP Programs===
 
===Using MFA with GUI SFTP Programs===
Line 24: Line 13:
 
* WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses [[SSH Multiplexing]] automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
 
* WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses [[SSH Multiplexing]] automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
 
* For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:[[File:CyberDuck transfer browser.png|frameless|right|Screenshot of the CyberDuck options to use Browser Connection]]
 
* For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:[[File:CyberDuck transfer browser.png|frameless|right|Screenshot of the CyberDuck options to use Browser Connection]]
** From the Edit menu > Preferences > Transfers > General
+
** From the Edit menu > Preferences > Transfers > General. Then select "Use browser connection" from the drop down menu
** Select "Use browser connection" from the drop down menu
 
 
 
* FileZilla requires additional configuration. First of all, the ''Quickconnect'' mode will not work as it only uses the 'Normal' logon type, which doesn't work with 2FA. For password authentication with 2FA you must set up a connection profile in site manager with an 'Interactive' Logon Type. In addition, set the number of simultaneous connections to '1' in the Transfer Settings for the site or you will get a Duo prompt for each file transfer. If you want to use key authentication with FileZilla you'll have to load a working key into an SSH agent like 'pageant' and use the 'Interactive' logon type.
 
  
 
===Connecting via Terminal to the Command Line===
 
===Connecting via Terminal to the Command Line===
  
If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in [[Getting_Started#Connecting_to_HiPerGator]]
+
If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in [[https://help.rc.ufl.edu/doc/HPG_Interfaces HPG Interfaces]]
 
After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication.  The entire session should look like this:
 
After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication.  The entire session should look like this:
 +
<div class="mw-collapsible mw-collapsed" style="width:70%; padding: 5px; border: 1px solid gray;">
 +
''Expand this section to view example session.''
 +
<div class="mw-collapsible-content" style="padding: 5px;">
  
 
   Using username "GatorLinkUsername".
 
   Using username "GatorLinkUsername".
Line 47: Line 36:
 
   Passcode or option (1-2):  
 
   Passcode or option (1-2):  
 
   Success. Logging you in...
 
   Success. Logging you in...
 +
</div></div>
  
 
=== How can I use SSH keys for authentication? ===
 
=== How can I use SSH keys for authentication? ===
  
If you have setup SSH key-based authentication, you will need to configure your client to connect to hpg.rc.ufl.edu using port 2222. You will still be prompted for Duo MFA as above. See the examples below.
+
See the guide for setup at [[Using SSH Keys To Access HPG | SSH Keys]]. After this, you won't require password, but will still be prompted for Duo MFA as above.  
 
 
==== SSH Key Authentication from the Command Line====
 
 
 
  ssh -p 2222 GatorLink@hpg.rc.ufl.edu
 
  SSH-Key Auth
 
  (GatorLink@hpg.rc.ufl.edu) Duo two-factor login for GatorLink@ufl.edu
 
 
 
  Enter a passcode or select one of the following options:
 
 
 
  1. Duo Push to XXX-XXX-1234
 
  2. Phone call to XXX-XXX-1234
 
  3. Phone call to XXX-XXX-1234
 
 
 
  Passcode or option (1-3): 1
 
  Success. Logging you in...
 
 
 
==== SSH Key Authentication Using a SSH Config File ====
 
 
 
If you are using an SSH config file (e.g. <code>~/.ssh/config</code>), add the PORT option:
 
 
 
Host hpg
 
    HostName hpg.rc.ufl.edu
 
    User GatorLink
 
    Port 2222
 
    IdentityFile ~/.ssh/id_rsa
 
  
 
==== Using SSH Keys with SFTP clients ====
 
==== Using SSH Keys with SFTP clients ====
Line 82: Line 47:
 
* Bitvise: See [https://www.bitvise.com/getting-started-public-key-bitvise BitVise documentation].
 
* Bitvise: See [https://www.bitvise.com/getting-started-public-key-bitvise BitVise documentation].
 
* CyberDuck: See [https://trac.cyberduck.io/wiki/help/en/howto/sftp CyberDuck documentation].
 
* CyberDuck: See [https://trac.cyberduck.io/wiki/help/en/howto/sftp CyberDuck documentation].
* FileZilla: See [https://wiki.filezilla-project.org/Howto FileZilla documentation].
 
 
  
 
=== Using SSH Multiplexing to reduce the number of MFA authentications needed ===
 
=== Using SSH Multiplexing to reduce the number of MFA authentications needed ===
Line 92: Line 55:
 
==Common Errors==
 
==Common Errors==
  
====Attempting to use SSH Key Authentication, but you did not use the '-p 2222' argument on the command line, or did not put 'Port 2222' in your SSH config file====
+
====Attempting to use SSH Key Authentication, without setting port 2222====
  
 
Without the proper port being specified you will be connected to a login server which will ignore your SSH Key.  You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt.  Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.
 
Without the proper port being specified you will be connected to a login server which will ignore your SSH Key.  You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt.  Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.
Line 98: Line 61:
 
Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above.  If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.
 
Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above.  If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.
  
====Attempting to use SSH Key Authentication, you connect to port 2222 but you do not present an SSH Key during the login process====
+
====Attempting to use SSH Key Authentication, 2222 connects but without SSH Key====
  
 
This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one.  A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"
 
This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one.  A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"
Line 108: Line 71:
 
Upon login you'll receive an error stating "Not Enrolled".
 
Upon login you'll receive an error stating "Not Enrolled".
  
Solution: Please see the section above: "What if I Don't have Duo MFA Enabled?".  You will need to sign up for Duo Authentication.
+
Solution: You will need to sign up for Duo Authentication. There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.
There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.
 

Latest revision as of 21:10, 14 July 2023

UF is a high-value target for attacks designed to steal research data and intellectual discoveries. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials, such as your mobile device. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate. You will need to sign up for Duo Authentication.

How Does This Change the User Experience?

Users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the My Two-Factor page . Anyone who has used other UF services, like myUFL or ONE.UF, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.

The short video here demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.

Using MFA with GUI SFTP Programs

We recommend using WinSCP, Bitvise, or Cyberduck SFTP clients. Bitvise is a 'FastPass' approved application to open any sensitive data at UF.

  • WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses SSH Multiplexing automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
  • For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:
    Screenshot of the CyberDuck options to use Browser Connection
    • From the Edit menu > Preferences > Transfers > General. Then select "Use browser connection" from the drop down menu

Connecting via Terminal to the Command Line

If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in [HPG Interfaces] After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication. The entire session should look like this:

Expand this section to view example session.

 Using username "GatorLinkUsername".
 Using keyboard-interactive authentication.
 Password:
 Using keyboard-interactive authentication.
 Duo two-factor login for GatorLinkUsername@ufl.edu 
 Enter a passcode or select one of the following options:
  1. Duo Push to XXX-XXX-1234
  2. Phone call to XXX-XXX-1234
 Passcode or option (1-2): 
 Success. Logging you in...

How can I use SSH keys for authentication?

See the guide for setup at SSH Keys. After this, you won't require password, but will still be prompted for Duo MFA as above.

Using SSH Keys with SFTP clients

Using SSH Multiplexing to reduce the number of MFA authentications needed

One strategy to reduce the number of times that you need to authenticate using MFA is to use SSH Multiplexing. This opens one connection, which requires an MFA authentication, and then other connections are made through that initial connection. These additional connections do not require MFA.

Please see the details of SSH Multiplexing configuration on this page.

Common Errors

Attempting to use SSH Key Authentication, without setting port 2222

Without the proper port being specified you will be connected to a login server which will ignore your SSH Key. You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt. Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.

Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above. If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.

Attempting to use SSH Key Authentication, 2222 connects but without SSH Key

This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one. A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"

Solution: Ensure that your connection command line or SSH config file are correct as per the above sections, and that you really do intend to use SSH Key Authentication instead of manually typing a password. If so, then please refer to Using_SSH_Keys_To_Access_HPG and/or open a Support Request for assistance with setting up SSH Key Authentication.

Attempting to log in without having enrolled in MFA

Upon login you'll receive an error stating "Not Enrolled".

Solution: You will need to sign up for Duo Authentication. There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.