One-time-pad (OTP) / Two-factor authentication

All login nodes on Fram and Saga offer two-factor authentication on SSH.

To set up two-factor authentication for your user, follow these steps:

  1. Go to, log in, using user login (passwords) frontpage screenshot First click User Login (Passwords)

  1. Select OTP / 2FA from the page or drop-down menu frontpage screenshot frontpage screenshot

  1. Install Authenticator-app if you don’t have one.

  2. Scan the QR-code with your Authenticator app. frontpage screenshot

  1. Verify with code from your app and click “Submit.” frontpage screenshot

  1. Wait for the resources to sync the new information.


1. Do I have to use two-factor authentication every single time I log in or connect to Fram or Saga

No, you don’t. Here’s how you can manage that:

On your Mac or linux desktop or laptop, create a text file ~/.ssh/config with, for example, the following contents:

Host fram
    User myusername
    ControlMaster auto
    ControlPath ~/.ssh/%r@%h:%p

where myusername is replaced appropriately.

This sets things up so that whenever you ssh to the host nickname fram: ssh fram

It will look for the special file (a socket) in your ~/.ssh/ directory that is maintaining a connection to the cluster. If it already exists and is open, it’ll use it to create a connection without re-authenticating; if it doesn’t exist, it’ll authenticate and create the file for subsequent use.

Note that all subsequent connections are dependent on the initial connection — if you exit or kill the initial connection all other ones die, too. This can obviously be annoying if it happens accidentally. It’s easily avoided by setting up a master connection in the background:

ssh -CX -o ServerAliveInterval=30 -fN fram

The -fN make it go into the background and sit idle, after authenticating. (C for compression,Y for X forwarding, and -o ServerAliveInterval=30 to prevent dropped connections have nothing to do with the ControlMaster but are almost always helpful.)