Access to Wynton HPC from outside of the UCSF network requires two-factor authentication (2FA). If you connecting via the UCSF campus network, 2FA is not required. Likewise, if you are on the UCSF VPN, you are already fully authenticated on the campus network and no further 2FA is needed to access Wynton HPC. In all other cases, you will be prompted to authenticate through a Wynton-specific 2FA method when SSH:ing directly to the cluster.
Similarly to the UCSF VPN, Wynton HPC requires two-factor authentication via the Duo 2FA system. Duo supports authentication via:
push confirmation in the Duo Mobile App,
a phone call, or
SMS passcode.
Known issues:
It is not possible to register multiple authentication methods, e.g. multiple devices and phone numbers.
If you wish to change your 2FA method, phone number, or SMS number, you will need to contact the Wynton HPC support staff to reset your existing 2FA registration or resend the registration link.
If you receive a message from Duo that you, “have been locked out due to excessive authentication failures,” you will need to contact the Wynton HPC support staff to have your Duo account re-enabled.
Support for hardware 2FA keys (e.g. YubiKey, Feitian, etc.) is limited and might not even work. For example, when registering a hardware key, that will be your only option. Also, if you have already registered your hardware 2FA key with UCSF (e.g. UCSF VPN), then that physical key can not be used with the Wynton 2FA system. This is also true if the hardware key supports two or more security keys (e.g. short press and long press on a YubiKey).
Got a new smart phone? After installing the Duo Mobile App on the new device, you can transfer the Wynton 2FA credentials from your old phone to your new phone via ‘Connect a new phone’ in the Duo Mobile App’s ‘Settings’ on both devices.
After having completed the 2FA registration (see below) for your account, you can access Wynton HPC via SSH from outside the UCSF network. A typical SSH login will then start by you authenticating yourself via 2FA as illustrated by:
{local}$ ssh alice@log1.wynton.ucsf.edu
alice@log1.wynton.ucsf.edu password:
Duo two-factor login for alice
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999
3. SMS passcodes to XXX-XXX-9999
Passcode or option (1-3): 1
Success. Logging you in...
Remember connection authentication from 24.5.83.75 for 12 hours? [y/N] n
Last login: Tue Oct 13 11:56:19 2020 from 24.5.83.75
Welcome to the Wynton login nodes. [...]
[alice@log1]$
For examples on what it looks like when you authenticate via other options, see the examples below.
In order to authenticate via 2FA, you will first have to register your Duo 2FA setup with Wynton HPC. Since they are different 2FA systems, you have to complete this registration regardless whether or not you have already registered Duo 2FA for the UCSF VPN. Below are detailed instructions on how to register 2FA for Wynton HPC.
Comment: If you are asked to ‘Please contact your help or support desk’ during the Duo 2FA registration, please contact the Wynton HPC support staff (do not contact the UCSF IT Service Desk).
We recommend that you read through the below instructions before starting the registration. You can only register once and you cannot reconfigure your 2FA setup afterwards. The only way to update the settings is to contact the Wynton HPC support staff to reset your 2FA setup.
In order to register with Duo 2FA, you need to obtain a registration link (URL) to your personal registration page. This is done by attempting to log into Wynton via SSH.
If this is the first time you access Wynton HPC via SSH, then you will have to do two SSH logins - the first login is just a “trigger” and the second login one will display the registration URL. If you have priorly logged into to Wynton HPC, then you can skip to the second SSH-login instructions below.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
, then answer yes
Here is what the above steps will look like:
{local}$ ssh alice@log1.wynton.ucsf.edu
The authenticity of host log1.wynton.ucsf.edu (169.230.79.44) can not be established.
ECDSA key fingerprint is SHA256:DrCbFJouT3pRHoPO6rzGNJxX4OOIBuLy/ZdxjIQrx3M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added log1.wynton.ucsf.edu,169.230.79.44 (ECDSA) to the list of known hosts.
Connection closed by 169.230.79.44 port 22
{local}$ ssh alice@log1.wynton.ucsf.edu
alice@log1.wynton.ucsf.edu password:
Please enroll at https://api-6747fbb1.duosecurity.com/portal?code=61c954f6d6124546&akey=DBPXF7JZIKINNMVHIHZK
Please enroll at https://api-6747fbb1.duosecurity.com/portal?code=61c954f6d6124546&akey=DBPXF7JZIKINNMVHIHZK
Please enroll at https://api-6747fbb1.duosecurity.com/portal?code=61c954f6d6124546&akey=DBPXF7JZIKINNMVHIHZK
alice@log1.wynton.ucsf.edu: Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
After copying & pasting the registration link into your web browser, should end up on a page titled ‘Protect Your UCSF Account’ on ‘duosecurity.com’:
For security, verify that you are on the ‘duosecurity.com’ webpage
Click the ‘Start setup’ button to begin the Duo 2FA registration
The first registration page will ask ‘What type of device are you adding?’:
- Mobile phone [recommended]
- Tablet (iPad, Nexus 7, etc.)
- Landline
- Security Key (YubiKey, Feitian, etc.)
- Touch ID
If you selected ‘Mobile phone’ for your device type, the next page will ask you to ‘Enter your phone number’:
The next page ‘What type of phone is this number?’ will ask you to select the type of phone:
- iPhone
- Android
- Windows Phone
- Other (and cell phones)
Select the type of phone you have
Click the ‘Continue’ button
The next page ‘Install Duo Mobile’ will instruct you to install the Duo Mobile app on your device:
Follow the instructions on the ‘Activate Duo Mobile’ page:
Comment: If you have problems scanning the barcode, there is also an option to receive a on-time activation link via email.
Note: It does not matter which default ‘When I log in’ method you choose, you will still be prompted which one to use via the SSH login as with the default ‘Ask me to choose an authentication method’ option.
This concludes the Duo 2FA registration. You can now close the web browser.
After having completed the above 2FA registration, you should be able to access Wynton HPC via SSH. As illustrated below, verify that this works by SSH:ing to a Wynton HPC login or data-transfer node using your Wynton username and:
{local}$ ssh alice@log1.wynton.ucsf.edu
alice@log1.wynton.ucsf.edu password:
Duo two-factor login for alice
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999
3. SMS passcodes to XXX-XXX-9999
Passcode or option (1-3): 1
Success. Logging you in...
Remember connection authentication from 24.5.83.75 for 12 hours? [y/N] n
Last failed login: Wed Oct 14 13:34:11 PDT 2020 from 73.70.236.131 on ssh:notty
There was 2 failed login attempts since the last successful login.
Welcome to the Wynton login nodes. [...]
[alice@log1]$
If you choose to authenticate via a phone call, below is what you will see. The phone call will be made momentarily to your registered phone number. Please listen to the prompt and follow the instructions. If you did not request a Duo 2FA phone call, hang up.
{local}$ ssh alice@log1.wynton.ucsf.edu
alice@log2.wynton.ucsf.edu password:
Duo two-factor login for alice
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999
3. SMS passcodes to XXX-XXX-9999
Passcode or option (1-3): 2
Success. Logging you in...
If you choose to authenticate via an SMS passcode, below is what you will see. The passcode to be entered is sent momentarily to your registered mobile number as an SMS.
{local}$ ssh alice@log1.wynton.ucsf.edu
alice@log2.wynton.ucsf.edu password:
Duo two-factor login for alice
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999
3. SMS passcodes to XXX-XXX-9999
Passcode or option (1-3): 3
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999
3. SMS passcodes to XXX-XXX-9999 (next code starts with: 1)
Passcode or option (1-3): 1443743
Success. Logging you in...