Login via SSH and MFA
Certain login nodes (currently restricted to the login node login18-4.hpc.itc.rwth-aachen.de) have multi-factor authentication (MFA) enabled. To use these nodes, you are required to have at least one second authentication factor configured in the RegApp.
Whenever you log into the high performance compute cluster on a node that has MFA enabled for the first time in a certain time period – currently 10 hours – you will be asked to enter all types of identification, i.e., Username/Password, SSH key (if applicable), and Second Factor of choice. After this first login, further logins differ depending on whether or not you have SSH-authentication enabled.
Using Username/Password
If you have not associated an SSH public key with your HPC account or do not have the corresponding private key file on the computer from which you are accessing the HPC servers, all further logins are the same as the first one: you are required to enter both your Unix password (which you can change in the RegApp) and your Second Factor of choice (which you can manage in the RegApp) every time you open a new session.
Using SSH Key-pairs
If you have associated an SSH public key with your HPC account and have at least one corresponding private key file on the system used to access the HPC cluster, all further logins within this certain time period will only require SSH-authentication. In the case that you are running an ssh-agent
in the background to manage your private key password, you will be directly authenticated, otherwise, you will be prompted for the password of your private key file when opening a new session.
Note: Access to the login18-4.hpc.itc.rwth-aachen.de login node requires password and second factor on first connection within a certain time frame. If you use an ssh config file (a file in your ".ssh" folder named "config"; for more info query your preferred search engine or start here), make sure that for this domain (e.g., *.hpc.itc.rwth-aachen.de) you are not using the public key as your preferred authentication method (i.e., do not set "PreferredAuthentications publickey" for this domain). Doing so will prevent the password request and thus login.