MFA - Multi-Factor Authentication - Step by Step Guide
This article gives a step by step guide for how to use the CLAIX Cluster with multi-factor authentication (MFA) enabled. You will need to have registered for an HPC account beforehand.
Note: Currently, MFA is only mandatory for the login node login18-4.hpc.itc.rwth-aachen.de. All other nodes are accessible via SSH Key or username/password as usual.You may want to test MFA here first. Once your configuration runs successful, you may want to register at firstname.lastname@example.org to complete the switch to 2FA. Note that after the switch **all** login/dialog nodes will then be protected by 2FA measures.
Prerequisite: an active HPC account
Proceed with step 5 in order to log in using MFA. However, you will be asked for your second factor with every login attempt. To avoid this, you can set up one or more SSH key pairs associated with your account. Then, whenever you log in from a machine that holds your at least one corresponding private key, you will only have to provide a second factor once every 10 hours. To set this up, proceed with step 3.
- Upload a public SSH key
- Assign SSH Key to Service HPC
- Log In to a MFA Node
- (optional) Register for MFA via ticket, if you want to protect **all** login/dialog nodes by 2FA measures (i.e. not only login18-4): email@example.com
Help! My SSH Key has stopped working and has disappeared from the RegApp!
If it has been a while since you uploaded your SSH key, it has most likely expired.
After a set period (currently 12 months), the public key can no longer be used for authentication. Expired keys are not shown in the overview of SSH keys in your RegApp Dashboard or the service it used to be associated with. A key that has expired or been deleted cannot be added again.
To restore access via SSH key pairs, you will need to upload a new key that has never been uploaded before (following step 3 above), and then associate it with your HPC account again (following step 4 above).