Difference between revisions of "Authentication With MFA"

From UFRC
Jump to navigation Jump to search
 
(25 intermediate revisions by 4 users not shown)
Line 4: Line 4:
 
=== Why is This Happening? ===
 
=== Why is This Happening? ===
  
UF is a high-value target for attacks designed to steal research data and intellectual discoveries. This change is part of our ongoing efforts to strengthen the university’s security posture: since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials.
+
UF is a high-value target for attacks designed to steal research data and intellectual discoveries. This change is part of our ongoing efforts to strengthen the university’s security posture. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials. Think of the username and password as something that you ''know'' and a second factor as something you ''have'' e.g. a mobile device with a DUO app that MFA can 'push' a request to confirm your login to or a phone number MFA can call. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate.
  
 
=== How Does This Change the User Experience? ===
 
=== How Does This Change the User Experience? ===
  
Once implemented, HiPerGator Secure Shell (SSH) connections will no longer accept SSH keys. Users will have to provide their GatorLink username and a password after which they will see a text menu asking them to select an MFA method. Available methods are based on what you have configured in the [https://account.it.ufl.edu/2FA/enrollDevice My Two-Factor page] . Anyone who has used other UF services, like myUFL or the UF VPN, will be familiar with this process.
+
Once implemented, users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the [https://account.it.ufl.edu/2FA/enrollDevice My Two-Factor page] . Anyone who has used other UF services, like myUFL or the UF VPN, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.
 +
 
 +
[https://mediasite.video.ufl.edu/Mediasite/Play/b475e2428e0445138d76b31106c029f51d [[File:SSH w MFA.png|frameless|right|SSH with MFA video screenshot]]]
 +
 
 +
The [https://mediasite.video.ufl.edu/Mediasite/Play/b475e2428e0445138d76b31106c029f51d short video here] demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.
  
 
=== What if I Don't have Duo MFA Enabled? ===
 
=== What if I Don't have Duo MFA Enabled? ===
Line 15: Line 19:
 
  We're sorry, access is not allowed because you are not enrolled. Please contact your organization's IT help desk for assistance.
 
  We're sorry, access is not allowed because you are not enrolled. Please contact your organization's IT help desk for assistance.
 
You will need to [https://it.ufl.edu/2fa/ sign up for Duo Authentication].
 
You will need to [https://it.ufl.edu/2fa/ sign up for Duo Authentication].
 +
 +
===Using MFA with GUI SFTP Programs===
 +
We recommend using WinSCP, Bitvise, or Cyberduck SFTP clients. Bitvise is a 'FastPass' approved application for open and sensitive data at UF.
 +
* WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses [[SSH Multiplexing]] automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
 +
* For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:[[File:CyberDuck transfer browser.png|frameless|right|Screenshot of the CyberDuck options to use Browser Connection]]
 +
** From the Edit menu > Preferences > Transfers > General
 +
** Select "Use browser connection" from the drop down menu
 +
 +
* FileZilla requires additional configuration. First of all, the ''Quickconnect'' mode will not work as it only uses the 'Normal' logon type, which doesn't work with 2FA. For password authentication with 2FA you must set up a connection profile in site manager with an 'Interactive' Logon Type. In addition, set the number of simultaneous connections to '1' in the Transfer Settings for the site or you will get a Duo prompt for each file transfer. If you want to use key authentication with FileZilla you'll have to load a working key into an SSH agent like 'pageant' and use the 'Interactive' logon type.
 +
 +
===Connecting via Terminal to the Command Line===
 +
 +
If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in [[Getting_Started#Connecting_to_HiPerGator]]
 +
After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication.  The entire session should look like this:
 +
 +
  Using username "GatorLinkUsername".
 +
  Using keyboard-interactive authentication.
 +
  Password:
 +
  Using keyboard-interactive authentication.
 +
  Duo two-factor login for GatorLinkUsername@ufl.edu
 +
 +
  Enter a passcode or select one of the following options:
 +
 +
  1. Duo Push to XXX-XXX-1234
 +
  2. Phone call to XXX-XXX-1234
 +
 +
  Passcode or option (1-2):
 +
  Success. Logging you in...
 +
 +
=== How can I use SSH keys for authentication? ===
 +
 +
If you have setup SSH key-based authentication, you will need to configure your client to connect to hpg.rc.ufl.edu using port 2222. You will still be prompted for Duo MFA as above. See the examples below.
 +
 +
==== SSH Key Authentication from the Command Line====
 +
 +
  ssh -p 2222 GatorLink@hpg.rc.ufl.edu
 +
  SSH-Key Auth
 +
  (GatorLink@hpg.rc.ufl.edu) Duo two-factor login for GatorLink@ufl.edu
 +
 
 +
  Enter a passcode or select one of the following options:
 +
 
 +
  1. Duo Push to XXX-XXX-1234
 +
  2. Phone call to XXX-XXX-1234
 +
  3. Phone call to XXX-XXX-1234
 +
 
 +
  Passcode or option (1-3): 1
 +
  Success. Logging you in...
 +
 +
==== SSH Key Authentication Using a SSH Config File ====
 +
 +
If you are using an SSH config file (e.g. <code>~/.ssh/config</code>), add the PORT option:
 +
 +
Host hpg
 +
    HostName hpg.rc.ufl.edu
 +
    User GatorLink
 +
    Port 2222
 +
    IdentityFile ~/.ssh/id_rsa
 +
 +
==== Using SSH Keys with SFTP clients ====
 +
 +
* WinSCP: See [https://winscp.net/eng/docs/guide_public_key WinSCP documentation].
 +
* Bitvise: See [https://www.bitvise.com/getting-started-public-key-bitvise BitVise documentation].
 +
* CyberDuck: See [https://trac.cyberduck.io/wiki/help/en/howto/sftp CyberDuck documentation].
 +
* FileZilla: See [https://wiki.filezilla-project.org/Howto FileZilla documentation].
 +
 +
 +
=== Using SSH Multiplexing to reduce the number of MFA authentications needed ===
 +
One strategy to reduce the number of times that you need to authenticate using MFA is to use SSH Multiplexing. This opens one connection, which requires an MFA authentication, and then other connections are made through that initial connection. These additional connections do not require MFA.
 +
 +
Please see the details of [[SSH_Multiplexing|SSH Multiplexing configuration on this page]].
 +
 +
==Common Errors==
 +
 +
====Attempting to use SSH Key Authentication, but you did not use the '-p 2222' argument on the command line, or did not put 'Port 2222' in your SSH config file====
 +
 +
Without the proper port being specified you will be connected to a login server which will ignore your SSH Key.  You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt.  Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.
 +
 +
Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above.  If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.
 +
 +
====Attempting to use SSH Key Authentication, you connect to port 2222 but you do not present an SSH Key during the login process====
 +
 +
This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one.  A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"
 +
 +
Solution: Ensure that your connection command line or SSH config file are correct as per the above sections, and that you really do intend to use SSH Key Authentication instead of manually typing a password.  If so, then please refer to [[Using_SSH_Keys_To_Access_HPG]] and/or open a Support Request for assistance with setting up SSH Key Authentication.
 +
 +
====Attempting to log in without having enrolled in MFA====
 +
 +
Upon login you'll receive an error stating "Not Enrolled".
 +
 +
Solution: Please see the section above: "What if I Don't have Duo MFA Enabled?".  You will need to sign up for Duo Authentication.
 +
There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.

Latest revision as of 21:01, 7 December 2021

Effective October 18, 2021, Research Computing will require Multi-Factor Authentication for access to HiPerGator


Why is This Happening?

UF is a high-value target for attacks designed to steal research data and intellectual discoveries. This change is part of our ongoing efforts to strengthen the university’s security posture. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials. Think of the username and password as something that you know and a second factor as something you have e.g. a mobile device with a DUO app that MFA can 'push' a request to confirm your login to or a phone number MFA can call. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate.

How Does This Change the User Experience?

Once implemented, users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the My Two-Factor page . Anyone who has used other UF services, like myUFL or the UF VPN, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.

SSH with MFA video screenshot

The short video here demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.

What if I Don't have Duo MFA Enabled?

If your account is not registered with UF's Duo MFA service, you will see an error like this:

We're sorry, access is not allowed because you are not enrolled. Please contact your organization's IT help desk for assistance.

You will need to sign up for Duo Authentication.

Using MFA with GUI SFTP Programs

We recommend using WinSCP, Bitvise, or Cyberduck SFTP clients. Bitvise is a 'FastPass' approved application for open and sensitive data at UF.

  • WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses SSH Multiplexing automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
  • For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:
    Screenshot of the CyberDuck options to use Browser Connection
    • From the Edit menu > Preferences > Transfers > General
    • Select "Use browser connection" from the drop down menu
  • FileZilla requires additional configuration. First of all, the Quickconnect mode will not work as it only uses the 'Normal' logon type, which doesn't work with 2FA. For password authentication with 2FA you must set up a connection profile in site manager with an 'Interactive' Logon Type. In addition, set the number of simultaneous connections to '1' in the Transfer Settings for the site or you will get a Duo prompt for each file transfer. If you want to use key authentication with FileZilla you'll have to load a working key into an SSH agent like 'pageant' and use the 'Interactive' logon type.

Connecting via Terminal to the Command Line

If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in Getting_Started#Connecting_to_HiPerGator After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication. The entire session should look like this:

 Using username "GatorLinkUsername".
 Using keyboard-interactive authentication.
 Password:
 Using keyboard-interactive authentication.
 Duo two-factor login for GatorLinkUsername@ufl.edu 
 Enter a passcode or select one of the following options:
  1. Duo Push to XXX-XXX-1234
  2. Phone call to XXX-XXX-1234
 Passcode or option (1-2): 
 Success. Logging you in...

How can I use SSH keys for authentication?

If you have setup SSH key-based authentication, you will need to configure your client to connect to hpg.rc.ufl.edu using port 2222. You will still be prompted for Duo MFA as above. See the examples below.

SSH Key Authentication from the Command Line

 ssh -p 2222 GatorLink@hpg.rc.ufl.edu
 SSH-Key Auth
 (GatorLink@hpg.rc.ufl.edu) Duo two-factor login for GatorLink@ufl.edu
 
 Enter a passcode or select one of the following options:
 
  1. Duo Push to XXX-XXX-1234
  2. Phone call to XXX-XXX-1234
  3. Phone call to XXX-XXX-1234
 
 Passcode or option (1-3): 1
 Success. Logging you in...

SSH Key Authentication Using a SSH Config File

If you are using an SSH config file (e.g. ~/.ssh/config), add the PORT option:

Host hpg
   HostName hpg.rc.ufl.edu
   User GatorLink
   Port 2222
   IdentityFile ~/.ssh/id_rsa

Using SSH Keys with SFTP clients


Using SSH Multiplexing to reduce the number of MFA authentications needed

One strategy to reduce the number of times that you need to authenticate using MFA is to use SSH Multiplexing. This opens one connection, which requires an MFA authentication, and then other connections are made through that initial connection. These additional connections do not require MFA.

Please see the details of SSH Multiplexing configuration on this page.

Common Errors

Attempting to use SSH Key Authentication, but you did not use the '-p 2222' argument on the command line, or did not put 'Port 2222' in your SSH config file

Without the proper port being specified you will be connected to a login server which will ignore your SSH Key. You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt. Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.

Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above. If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.

Attempting to use SSH Key Authentication, you connect to port 2222 but you do not present an SSH Key during the login process

This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one. A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"

Solution: Ensure that your connection command line or SSH config file are correct as per the above sections, and that you really do intend to use SSH Key Authentication instead of manually typing a password. If so, then please refer to Using_SSH_Keys_To_Access_HPG and/or open a Support Request for assistance with setting up SSH Key Authentication.

Attempting to log in without having enrolled in MFA

Upon login you'll receive an error stating "Not Enrolled".

Solution: Please see the section above: "What if I Don't have Duo MFA Enabled?". You will need to sign up for Duo Authentication. There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.