One-time-pad (OTP) / Two-factor authentication

All login nodes on Betzy, Fram and Saga offer two-factor authentication on SSH.

To set up two-factor authentication for your user, follow these steps:

  1. Go to www.metacenter.no, log in, using user login (passwords)

www.metacenter.no frontpage screenshot First click User Login (Passwords)

  1. Select OTP / 2FA from the page or drop-down menu

www.metacenter.no frontpage screenshot

www.metacenter.no frontpage screenshot

  1. Install Authenticator-app if you don’t have one.

  2. Scan the QR-code with your Authenticator app.

www.metacenter.no frontpage screenshot

  1. Verify with code from your app and click “Submit.”

www.metacenter.no frontpage screenshot

  1. Wait for the resources to sync the new information.

Video guide

[Video] 2FA setup guide for the national e-infrastructure systems

FAQ

1. Do I have to use two-factor authentication every single time I log in or connect to Betzy, Fram or Saga

No, you don’t. Here’s how you can manage that:

On your Mac or linux desktop or laptop, create a text file ~/.ssh/config with, for example, the following contents:

Host fram
    User myusername
    HostName login.fram.sigma2.no
    ControlMaster auto
    ControlPath ~/.ssh/%r@%h:%p

where myusername is replaced appropriately.

This sets things up so that whenever you ssh to the host nickname fram: ssh fram

It will look for the special file (a socket) in your ~/.ssh/ directory that is maintaining a connection to the cluster. If it already exists and is open, it’ll use it to create a connection without re-authenticating; if it doesn’t exist, it’ll authenticate and create the file for subsequent use.

Note that all subsequent connections are dependent on the initial connection — if you exit or kill the initial connection all other ones die, too. This can obviously be annoying if it happens accidentally. It’s easily avoided by setting up a master connection in the background:

ssh -CX -o ServerAliveInterval=30 -fN fram

The -fN make it go into the background and sit idle, after authenticating. (C for compression,Y for X forwarding, and -o ServerAliveInterval=30 to prevent dropped connections have nothing to do with the ControlMaster but are almost always helpful.)

Does this work for Windows too?

OpenSSH for Windows does currently not support the ControlMaster module, but there is a workaround for this.

By installing WSL and running an Ubuntu terminal you will be able to use SSH as if you were using a Linux computer. You can create the text file under ~/Ubuntu/home/user/.shh/config and add the same contents as in the example above. If you then attempt to ssh to the host nickname fram in this example by using ssh fram in your Ubuntu terminal, it would then create the same socket under Ubuntu’s ssh directory as it would if you were to use a Mac/Linux computer.
You can run an Ubunutu terminal simply by writing the command ‘Ubuntu’ in your Windows terminal.