Two-Factor Authentication on Shaheen

Introduction

Although the use of Active Directory (AD), also known as Portal, user names and passwords across all KAUST services is extremely convenient to users, it is also very vulnerable to phishing attacks, whereby a malicious attacker can create a fake webpage requesting your AD user name and password. Once the attacker has this information, they can access many private KAUST services using your credentials, including the Shaheen supercomputer. KSL is introducing Two-Factor authentication (2FA), https://en.wikipedia.org/wiki/Two-factor_authentication, for SSH logins to mitigate this issue. With 2FA, you must successfully authenticate twice, using two separate methods, before you can be granted access to a server.

 

The Two Factors

 

SSH public-private key authentication or Password

SSH keys establish a unique communications path between a user's workstation and the server that s/he is logging into. The public-private key pair is generated on the user's workstation, and the private key exists only there. The public key should be copied to the $HOME/.ssh/authorized_keys file on the server(s) that you are logging into. This will allow password-less SSH authentication from client to server; however we strongly recommend that you protect your private key using a passphrase, which should be different from your AD password. The private key must then be "unlocked" using the passphrase each time that you make a SSH connection.

If you do not set up SSH keys, then you will instead be prompted to login using your AD password. However, we advise against using this authentication method except for the initial copying of your keys.

One-Time Password (OTP)

One-time passwords, as the name suggests, can be used only once and, as in the case of Shaheen, are only ever valid for a short time (approx 1 minute), after which they become invalid and a new OTP must be generated. The OTP is generated using a secret seed value that is known to both the target host (SSH server) and the client generating the OTP (normally an Android or iOS app). The client should be a separate physical device from the workstation that is being used to establish the SSH connection. Otherwise, if the workstation is compromised, then both authentication methods are compromised.

You will be presented with a prompt to type in the OTP after you have successfully entered the SSH passphrase (or password). Only after you have successfully entered both the SSH passphrase and the OTP will you be granted access to the server:

me@myworkstation>$ ssh <username>@shaheen.hpc.kaust.edu.sa
Use of this system is limited to users who have been properly authorised by
the KAUST Supercomputing Laboratory. Unauthorised users must disconnect
immediately.

For support, see http://www.hpc.kaust.edu.sa/
or email help@hpc.kaust.edu.sa
Enter passphrase for key '$HOME/.ssh/id_rsa': XXXXXX

Authenticated with partial success.
One-time password (OATH) for `<user-name>': XXXXXX  <-- use your OTP app to
                                                        generate password
                                                        and enter it here.

Preparation

For KAUST users, if you have enabled the SSH server (sshd) on your local workstation and your workstation uses KAUST AD for authentication, then you are vulnerable to attack. We strongly recommend that you disable the SSH service if not needed, otherwise take measures (firewall, sshd_config) to restrict outside access to your machine. If you are unsure about this, you should contact the IT Help Desk.

One Time Password (OTP)

We strongly recommend that you install the OTP application on a separate physical device from your workstation. You must set up OTP before you can copy your SSH keys, described below. The following OTP applications have been tested and proven to work successfully with our servers:

  • FreeOTP (Android/iOS)     <--- Recommended

  • OTP Manager (MacOS)

  • WinAuth (Windows)

  • OATH Toolkit (Linux)

  • Microsoft Authenticator (iOS/Android/Windows Mobile)

Other clients that support the TOTP (Time-based One-Time Password) algorithm, including hardware based tokens, are untested but should also work without any problem.

Adding the Secret Seed to the App

The secret seed is generated by the KSL team and is securely passed to the user for storing in their OTP app. The secret seed can be expressed as Hex, as Base32, or as a QR code, and each app can read the seed using one or more of these methods. The same secret seed can be used on more than one server, meaning that all the Shaheen login nodes can share the same seed. Once you have installed your OTP app, please login to www.hpc.kaust.edu.sa/user/login using your AD username and password (i.e. your Shaheen username and password), and you will presented with your User Settings page. On this page you will see both a QR code and a Base32 number, both representing your OTP seed. This information will only be visible to new users.

Important note - do not view the User Settings page until you are ready to add your OTP seed to your smartphone app, because it will be erased after your first visit.

Adding the OTP seed with the QR code using FreeOTP:

FreeOTP.jpg

Select the QR code scanning option (circled picture left), allow the app to use the camera if requested, then point the smartphone at the QR code. Once successfully scanned, a new FreeOTP item will be stored in the app, labeled with your AD username. When you select the item, an OTP will displayed which will be valid to use for logging into Shaheen for a duration of one minute. FreeOTP also gives you the option to enter your seed manually, using the Base32 number.

Important note - Your mobile device must be set to the correct date and time for your timezone. Otherwise, the OTP that your device generates will not match the OTP that the server is expecting when you login.

 

 

 

For existing users, in the event that you have a new mobile device or have lost your seed, and need to re-read your OTP seed from the website, you will need to either:

a) Visit the KSL Systems team (Building 1 Room 0134) office with proof of ID and your smartphone, or

b) Contact us at help@hpc.kaust.edu.sa explaining your situation and we will then contact your PI for approval to display your OTP seed to you on the website.

These strict measures are necessary in order to ensure that your account cannot be compromised.

 

Note about Paraview and Two-Factor authentication on macOS

As our recommended method for setting up a Paraview client for Shaheen involves the use of SSH, an additional package, ssh-askpass, may need to be installed on macOS. We have successfully tested the following implementation for use with macOS and Paraview - https://github.com/markcarver/mac-ssh-askpass

 

SSH public-private key authentication

Until you have set up SSH key authentication, you will have to login using your AD password. If you have not already generated a public-private key pair on your local workstation, then you should do so now using ssh-keygen:

me@myworkstation>$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key ($HOME/.ssh/id_rsa): <--- Press <ENTER> here.
Enter passphrase (empty for no passphrase):              <--- Enter new passphrase 
Enter same passphrase again:                             <--- Enter it again.
Your identification has been saved in $HOME/.ssh/id_rsa.
Your public key has been saved in $HOME/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:kAdmubrB19GATfKqsT5I4+Atw/vC3nr0iSlqcl5M1VA <user>@<workstation>
The key's randomart image is:
+---[RSA 2048]----+
|      **E        |
|     ooBo        |
|      +.+o       |
|     ..+. .      |
|   .o...S.       |
|. o+++. .        |
|++ooO+.          |
|.X=Boo           |
|**@o..           |
+----[SHA256]-----+

The public key that you have just created now needs adding to your authorized_keys file in $HOME/.ssh on Shaheen. If the ssh-copy-id command is available on your workstation, this is the easiest method. Alternatively, just copy and paste the contents of $HOME/.ssh/id_rsa.pub on your workstation into $HOME/.ssh/authorized_keys on Shaheen.

You also need to ensure that the permsissions are set correctly on the authorised keys the file:

chmod 600 $HOME/.ssh/authorized_keys

For Windows/Putty users, please use the following guide - http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#pubkey - to enable key authentication.