start:mogon_cluster:basic_authentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
start:mogon_cluster:basic_authentication [2020/07/16 11:15]
jrutte02 [Contact the HPC Group]
start:mogon_cluster:basic_authentication [2021/10/13 11:16]
noskov
Line 1: Line 1:
 ====== Basic Authentication ====== ====== Basic Authentication ======
  
-The authentication process on MOGON has changed significantly due to the security incident. Here you can find the instructions for the general procedure.+====== Prerequisites ======
  
-<alert type="danger" dismiss="true" icon="fa fa-warning"> +**Your ZDV Account** must be assigned to an HPC project, before you can complete the MOGON authentication. \\ You can check the affiliation to an HPC project on your [[https://account.uni-mainz.de/Account|ZDV account profil]] in the ''Andere Mitgliedschafte'' resp. ''Other memberships'' section.
-The instructions in this page are only applicable for the time of limited access! +
-</alert>+
  
 +Your project leader and other technical contacts may, [[start:policies:accounts#how_do_i_get_an_account|add your account to an HPC project]].
 +
 +The authentication process on MOGON is to ensure best possible protections again malicious intend. Here you can find the instructions for the general procedure.
  
 <callout type="tip" icon="true" title="Quick Start">  <callout type="tip" icon="true" title="Quick Start"> 
-  - Add your SSH-Keys to your [[https://account.uni-mainz.de/sshkey|ZDV Account]]. +  - Generate your SSH-Keys in <btn type="info" icon="fa fa-windows" size="xs">[[start:mogon_cluster:access_from_outside_windows:creating_sshkeys_on_windows#set_up_ssh-keys_for_mogon_using_windows|Windows]]</btn> or <btn type="info" icon="fa fa-linux" size="xs">[[https://mogonwiki.zdv.uni-mainz.de/dokuwiki/start:mogon_cluster:access_from_outside_unix#generating_a_new_ssh-key_using_linux_or_macos|Linux/macOS]]</btn>
-  - Prepare your Smartphone for 2FA. +  - Add your public SSH-Keys in OpenSSH Format to your [[https://account.uni-mainz.de/my-account|ZDV Account]]
-  - Contact HPC-Group +    * ''HPCGATE'' and ''HPCLOGIN'' must be included in the comment
-  - PrivacyIdea process +  - Prepare your Smartphone for 2FA by installing the **freeOTP** or **PrivacyIDEA** app
-  - Login to MOGON+  - Contact the HPC-Group via [[hpc@uni-mainz.de]] with your **ZDV Account** 
 +  - Complete the PrivacyIdea process with an HPC-Admin 
 +  - Login to MOGON via SSH using our Jump Host
 </callout> </callout>
  
Line 20: Line 23:
 <grid> <grid>
 <col lg="6" md="12" sm="12" xs="12"> <col lg="6" md="12" sm="12" xs="12">
-Browse to [[https://account.uni-mainz.de/sshkey|account.uni-mainz.de/sshkey]] with a browser of your choice. Use your ZDV credentials for login.  +Open [[https://account.uni-mainz.de/my-account|https://account.uni-mainz.de/my-account]] with a browser of your choice. Use your **ZDV credentials** for login. 
-You will now have to submit an **SSH-keys** whose comment includes certain strings and formatting. In addition to your own commentyou must append the strings ''HPCGATE'' and ''HPCLOGIN'', separated by commaThe first keyword (''HPCGATE''ensures that you can tunnel through our jump host ''hpcgate'', the other keyword (''HPCLOGIN'') allows you to access the MOGON login nodes.+  
 +You will now have to submit an **SSH-Key** whose comment includes certain strings and formatting. To save an individual key in your university accountjust copy its public part (''your_key_name.pub''in the designated field click on ''SSH-Key speichern''
 +<callout type="success" title="Don't have the SSH-Key?" icon="true"> 
 + Please follow our instructions for generating SSH-Keys using <btn type="info" icon="fa fa-windows" size="xs">[[start:mogon_cluster:access_from_outside_windows:creating_sshkeys_on_windows#set_up_ssh-keys_for_mogon_using_windows|Windows]]</btn> or <btn type="info" icon="fa fa-linux" size="xs">[[https://mogonwiki.zdv.uni-mainz.de/dokuwiki/start:mogon_cluster:access_from_outside_unix#generating_a_new_ssh-key_using_linux_or_macos|Linux/macOS]]</btn>
 +</callout>
  
-The keywords must be entered to the comment section of your SSH-Key with no special requirements. +<hidden>
-To save an individual key, just copy it in the designated field click on ''SSH-Key speichern''.+
  
-<callout type="info" icon="true" title="The Generic Format"> +<callout type="info" icon="true" title="Generating the SSH-Key in advanced way"> 
-of the SSH keys generated by ''ssh-keygen'' is: \\ +The SSH-Keys generated by ''ssh-keygen'' have the following form: \\ 
-''<algorithm> <key> <comment>''+''<algorithm> <key> <comment>'' \\ 
 +\\ 
 +If you want to generate the key in a way that is different from our guide, please notice that you **must** append the strings ''HPCGATE'' and ''HPCLOGIN'', separated by comma as a comment to the key (you may also add your own optional comment). The first keyword (''HPCGATE'') ensures that you can tunnel through our jump host ''hpcgate'', the other keyword (''HPCLOGIN'') allows you to access the MOGON login nodes. 
 +The keywords must be entered to the comment section of your SSH-Key.
 </callout> </callout>
-<callout type="question" title="No SSH-Key" icon="true"> +<callout type="danger" title="PuTTYgen/MobaKeyGen" icon="true"> 
-In case you don'have SSH-Key yet or havig difficulty adding the commentyou can read more in [[start:mogon_cluster:access#how_to_set_up_ssh-keys_for_mogon|this Article]].+If you have generated your SSH-Keys with ''PuTTYgen'' or ''MobaKeyGen''please note [[start:mogon_cluster:access_from_outside_windows:creating_sshkeys_on_windows|this Article]] before you upload our SSH-Keys!
 </callout> </callout>
 +
 +</hidden>
 +
 </col> </col>
 <col lg="6" md="12" sm="12" xs="12"> <col lg="6" md="12" sm="12" xs="12">
-<image shape="thumbnail">{{:start:mogon_cluster:add_ssh_key_1.png?direct|}} </image+<carousel interval="false"> 
 +<slide> 
 +{{:start:mogon_cluster:add_ssh_key_1.png?direct|}} 
 +</slide> 
 +<slide> 
 +{{:start:mogon_cluster:add_ssh_key_2.png?direct|}} 
 +</slide> 
 +</carousel>
 </col> </col>
- 
- 
- 
 </grid> </grid>
- 
- 
- 
  
 ===== Prepare your Smartphone for 2FA ===== ===== Prepare your Smartphone for 2FA =====
-Access to MOGON is now done via two-factor authentication through PrivacyIdea. The procedure with PrivacyIdea will be explained in detail later. At this point it is only relevant that you install a two-factor authentication app on your smartphone that has been approved by the HPC group.+Access to MOGON is done via two-factor authentication through an app on your smartphone. Please install one of the apps below, which are approved by the HPC group. Other apps may not function properly and we **can not** provide support if you experience problems with any other app
  
  
Line 52: Line 65:
 <col lg="6" md="12" sm="12" xs="12"> <col lg="6" md="12" sm="12" xs="12">
 <callout type="info" title="iOS" icon="fa fa-apple"> <callout type="info" title="iOS" icon="fa fa-apple">
-  * [[https://apps.apple.com/us/app/freeotp-authenticator/id872559395|freeOTP]]+  * [[https://apps.apple.com/us/app/freeotp-authenticator/id872559395|freeOTP]] \\
   * [[https://apps.apple.com/us/app/privacyidea-authenticator/id1445401301|PrivacyIdea]]   * [[https://apps.apple.com/us/app/privacyidea-authenticator/id1445401301|PrivacyIdea]]
 </callout> </callout>
Line 59: Line 72:
 <col lg="6" md="12" sm="12" xs="12"> <col lg="6" md="12" sm="12" xs="12">
 <callout type="info" title="Android" icon="fa fa-android"> <callout type="info" title="Android" icon="fa fa-android">
-  * [[https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en|freeOTP]]+  * [[https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en|freeOTP]] \\ 
   * [[https://play.google.com/store/apps/details?id=it.netknights.piauthenticator&hl=en|PrivacyIdea]]   * [[https://play.google.com/store/apps/details?id=it.netknights.piauthenticator&hl=en|PrivacyIdea]]
 </callout> </callout>
Line 65: Line 78:
 </grid> </grid>
  
-<callout type="danger" icon="true">We only support the apps mentioned above. Other apps may not be able to function properly, so you will not be able to log in to MOGON using the second factor. If you nevertheless decide to use another app, please make sure that ''sha-512'' is supported. Please also note that in this case we **can not** provide support if you experience problems. </callout>+<callout type="danger" icon="true">If you nevertheless decide to use another app, please make sure that ''sha-512'' is supported. Please also note that even if this is the case we **can not** provide support if you experience problems. </callout>
  
 ===== Contact the HPC Group ===== ===== Contact the HPC Group =====
-  * Once you have set up your keys and your 2FA app, please contact us via the ticket system and arrange a meeting with us.  +  * Once you have set up your SSH-Keys and **freeOTP** or **PrivacyIDEA** on your smartphone, please contact us via the ticket system **using your ZDV account** ((send an E-Mail to [[hpc@uni-mainz.de]] (which will create a new ticket in our ticketing system) )) and arrange a meeting with us.  
-  * We will contact you via **Skype for Business** which is available to all university members or can arrange a video chat via **BigBlueButton** if Skype is not available for you.  +  * We will contact you via **BigBlueButton** (description [[https://www.zdv.uni-mainz.de/bigbluebutton/|here]]).  
-  The whole process should take no longer than 10 minutes, if your keys are properly setup.+  * The whole process should take no longer than 15 minutes, if your SSH-Keys are properly setup. 
 +<hidden>  * We will contact you via **Skype for Business** (setup instructions [[https://www.zdv.uni-mainz.de/telefonie-und-skype-for-business/|here]]) which is available to all university members or we can arrange a video chat via **BigBlueButton** (description [[https://www.zdv.uni-mainz.de/bigbluebutton/|here]]), if Skype for Business is not available for you.</hidden>  
 + 
 +<hidden> 
 +<callout type="question" color="#3498db" icon="true"> 
 +Information about **Skype for Business** and **BigBlueButton** can be found on [[https://www.zdv.uni-mainz.de/kommunikation-und-kollaboration/|this Article]] from the ZDV.  
 +</callout> 
 +</hidden>
 ===== PrivacyIdea @MOGON ===== ===== PrivacyIdea @MOGON =====
  
-  - Have your smartphone with 2FA app installed ready. +<callout type="danger" icon="true" title="Virtual Private Network">  
-  - Browse to [[https://privacyidea.zdv.uni-mainz.de/|PrivacyIdea]] and get ready for the login. Browser extensions, such as uBlock, uMatrix and NoScript, probably will prevent the website from functioning properly. +is necessary to access [[https://privacyidea.zdv.uni-mainz.de|]]. If you have not yet set up VPN on your PC, please follow [[https://www.zdv.uni-mainz.de/vpn-netz-zugang-von-ausserhalb-des-campus/|these instruction]] from the ZDV \\ 
-  - Establish contact with **HPC-Admins**+For access MOGON, though, you do not need VPN. 
-  - For the login you need your ''username'' and the ''registration key'' which you will receive from the HPC-Admin. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_1.png?nolink|}}</image> +</callout> 
 + 
 + 
 + 
 +  - Have your smartphone with **freeOTP** or **PrivacyIDEA** app installed ready. 
 +  - Browse to [[https://privacyidea.zdv.uni-mainz.de/|PrivacyIdea]] and get ready for the login. Browser extensions, such as **uBlock****uMatrix** and **NoScript**, probably will prevent the website from functioning properly
 +  - This website is only accessible within the campus network. You can reach it from outside via [[https://www.en-zdv.uni-mainz.de/net-access-from-outside-of-campus-via-vpn|VPN]] or with a [[https://www.zdv.uni-mainz.de/remotedesktop-arbeiten-am-entfernten-arbeitsplatz/|remote desktop session]]. Please make sure you can open the page before proceeding
 +  - Establish contact with the [[start:mogon_cluster:basic_authentication#contact_the_hpc_group|HPC Group]]
 +  - For the login you need your ''username'' and the ''one-time registration key''.  The ''one-time registration key'' serves as a password for the login to PrivacyIdea and is handed to you by the **HPC-Admin** during the  [[start:mogon_cluster:basic_authentication#contact_the_hpc_group|identity verification process]]. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_1.png?nolink|}}</image> 
   - After successful login, click ''Token ausrollen'' in the menu on the left side.   - After successful login, click ''Token ausrollen'' in the menu on the left side.
   - On the page ''Token ausrollen'' select ''TOTP: Zeitbasiertes Einmalpasswort'' as token. **Do not** change ''OTP-Länge'' and ''Zeitschritt''. Fill in the field ''Beschreibung'' and click on ''Token ausrollen'' at the bottom of the page. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_3.png?nolink|}}</image>    - On the page ''Token ausrollen'' select ''TOTP: Zeitbasiertes Einmalpasswort'' as token. **Do not** change ''OTP-Länge'' and ''Zeitschritt''. Fill in the field ''Beschreibung'' and click on ''Token ausrollen'' at the bottom of the page. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_3.png?nolink|}}</image> 
-  - Scan the **QR-Code** on your screen with the 2FA app of your choice on your smartphone and click on ''Neuen Token ausrollen'' afterwards. <text background="danger"> **Do not** share the QR-Code with anyone. </text> Employees of the HPC group will never ask you for your QR-Code or other login credentials. <text background="info"> **Do not** scan the QR-Code shown below! </text> \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_4.png?nolink|}}</image> +  - Scan the **QR-Code** on your screen with the 2FA app of your choice on your smartphone. \\ <text background="danger"> **Do not** share the QR-Code with anyone. </text> Employees of the HPC group will **never** ask you for your QR-Code or other login credentials. \\ <text background="info"> **Do not** scan the QR-Code shown below! </text> \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_4.png?nolink|}}</image> 
   - The newly created token is initially deactivated and must be activated by an HPC-Admin. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_5.png?nolink|}}</image>   - The newly created token is initially deactivated and must be activated by an HPC-Admin. \\ <image shape="thumbnail">{{:start:mogon_cluster:2fa_activation_user_5.png?nolink|}}</image>
   - Inform the HPC-Admin of the successful creation of the token, so that he can activate it. As soon as the token has been activated by the HPC-Admin, you can see the status at the ''Alle Token'' page.   - Inform the HPC-Admin of the successful creation of the token, so that he can activate it. As soon as the token has been activated by the HPC-Admin, you can see the status at the ''Alle Token'' page.
   - **Done**. You should be able to use the 2FA app of your choice to create new TOTPs as necessary for login to MOGON.   - **Done**. You should be able to use the 2FA app of your choice to create new TOTPs as necessary for login to MOGON.
 +
 +
 +===== Migrating PrivacyIdea to a new Smartphone =====
 +
 +The requirements for this are that your old smartphone is still functional and you are able to log in to MOGON with it as well as your new smartphone is already set up and functional. 
 +
 +  - Start by browsing to the [[https://privacyidea.zdv.uni-mainz.de/]] website (You need an active [[https://www.zdv.uni-mainz.de/vpn-netz-zugang-von-ausserhalb-des-campus/|VPN]]). \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_1.png?direct&600|}}</image>
 +  - The credentials for the login are as follows: \\ <text background="primary"> Username:</text> ''ZDV-Account'' \\ <text background="primary"> Passwort:</text> ''Current 2FA Token'' (on the old smatphone). \\ After successful login, you should see the token overview. Now click the serial number of the token you want to delete to access the Tokens detailed overview page. In this example the serial number is ''TOTP01234567''. \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_2.png?direct&600|}}</image>
 +  - You can now delete the token permanently by clicking on the ''Delete|Löschen'' button. \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_3.png?direct&600|}}</image>
 +  - After you deleted the token, you will be redcirected to the overview where the token should have disappeared. Now click on ''Enroll Token|Token ausrollen'' to enroll a new Token: \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_4.png?direct&600|}}</image>
 +  - On the next page just fill in the field ''Description|Beschreibung'' and click on the ''Enroll new Token|Token ausrollen'' button at the bottom of the page. \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_5.png?direct&600|}}</image>
 +  - Now scan the displayed QR-Code on the next page with the <text background="danger"> 2FA app on your new smatphone</text> \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_6.png?direct&600|}}</image>
 +  - The newly created token is initially deactivated and must be activated by an HPC-Admin. Please contact the HPC-Group and ask for the token to be activated. Always specify the serial number of the token when contacting us for activation. \\ <image shape="thumbnail">{{:start:mogon_cluster:pi_new_smartphone_7.png?direct&600|}}</image>
 +
 +
  
  
  • start/mogon_cluster/basic_authentication.txt
  • Last modified: 2021/10/13 11:16
  • by noskov