https://docs.alliancecan.ca/mediawiki/api.php?action=feedcontributions&user=Mboisson&feedformat=atomAlliance Doc - User contributions [en]2024-03-29T05:31:30ZUser contributionsMediaWiki 1.39.6https://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=151491Multifactor authentication2024-03-27T15:35:58Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:61--><br />
{{Warning|title=Multifactor authentication is becoming mandatory<br />
|content=We strongly encourage you to enable MFA for your account, as this will be required to access our clusters as of April 15 2024. <br />
<br />
<!--T:74--><br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $67 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often (Linux and MacOS)=== <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required. [https://docs.alliancecan.ca/wiki/Configuring_WSL_as_a_ControlMaster_relay_server See the link below].<br />
<br />
=== [[Configuring WSL as a ControlMaster relay server]] (Windows) === <!--T:67--><br />
Disclaimer: This is still an experimental procedure. Your feedback is welcome.<br />
<br />
<!--T:68--><br />
With this procedure you can leverage ControlMaster under WSL so you may login to the clusters with several apps under native Windows for a certain period without having to do MFA for every session.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Connections in FileZilla can only be configured to use either SSH keys or interactive prompts, not both. Since Niagara requires using SSH keys and an MFA prompt, using FileZilla is challenging. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to work around is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
==== Prompt on file transfer ==== <!--T:69--><br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
<br />
<!--T:66--><br />
In versions before 23.6, this behaviour can be improved by switching the SSH-browser type to "SCP (enhanced speed)" or "SCP (normal speed)".<br />
<br />
==== Use SSH key instead of password ==== <!--T:70--><br />
<br />
<!--T:71--><br />
With MobaXterm v24.0, to resolve the following issues (1) allow downloads and (2) use SSH passphrase instead of Digital Research Alliance of Canada password make the following changes to SSH settings (SSH tab in Settings dialogue):<br />
<br />
<!--T:72--><br />
<ol><br />
<li>Uncheck "GSSAPI Kerberos"</li><br />
<li>Uncheck "Use external Pageant"</li><br />
<li>Check "Use internal SSH agent "MobAgent""</li><br />
<li>Use the "+" button to select SSH key file.</li><br />
</ol><br />
<br />
<!--T:73--><br />
First image shows the default SSH settings and the second image shows the changes described above:<br />
[[File:Ssh Settings Default|thumb|Default SSH Settings]]<br />
[[File:Ssh Settings Changes|thumb|Changes to correct download and login issue]]<br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
In order to connect to our clusters with PyCharm, you must setup your [[SSH Keys]] before connecting.<br />
<br />
<!--T:65--><br />
When you connect to a remote host in PyCharm, enter your username and the host you want to connect to. You will then be asked to enter a "One time password" during the authentication process. At this stage, use either your YubiKey or your generated password in Duo, depending on what you have setup in your account.<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* [[#Cyberduck|Cyberduck]]<br />
* [[#FileZilla|FileZilla]]<br />
* JuiceSSH on Android<br />
* [[#MobaXTerm|MobaXTerm]]<br />
* [[#PuTTY|PuTTY]]<br />
* [[#PyCharm|PyCharm]]<br />
* Termius on iOS<br />
* VSCode<br />
* [[#WinSCP|WinSCP]]<br />
<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=151490Multifactor authentication2024-03-27T15:34:30Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:61--><br />
{{Warning|title=Multifactor authentication is becoming mandatory<br />
|content=We strongly encourage you to enable MFA for your account, as this will be required to access our clusters as of April 15 2024. <br />
<br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $67 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often (Linux and MacOS)=== <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required. [https://docs.alliancecan.ca/wiki/Configuring_WSL_as_a_ControlMaster_relay_server See the link below].<br />
<br />
=== [[Configuring WSL as a ControlMaster relay server]] (Windows) === <!--T:67--><br />
Disclaimer: This is still an experimental procedure. Your feedback is welcome.<br />
<br />
<!--T:68--><br />
With this procedure you can leverage ControlMaster under WSL so you may login to the clusters with several apps under native Windows for a certain period without having to do MFA for every session.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Connections in FileZilla can only be configured to use either SSH keys or interactive prompts, not both. Since Niagara requires using SSH keys and an MFA prompt, using FileZilla is challenging. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to work around is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
==== Prompt on file transfer ==== <!--T:69--><br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
<br />
<!--T:66--><br />
In versions before 23.6, this behaviour can be improved by switching the SSH-browser type to "SCP (enhanced speed)" or "SCP (normal speed)".<br />
<br />
==== Use SSH key instead of password ==== <!--T:70--><br />
<br />
<!--T:71--><br />
With MobaXterm v24.0, to resolve the following issues (1) allow downloads and (2) use SSH passphrase instead of Digital Research Alliance of Canada password make the following changes to SSH settings (SSH tab in Settings dialogue):<br />
<br />
<!--T:72--><br />
<ol><br />
<li>Uncheck "GSSAPI Kerberos"</li><br />
<li>Uncheck "Use external Pageant"</li><br />
<li>Check "Use internal SSH agent "MobAgent""</li><br />
<li>Use the "+" button to select SSH key file.</li><br />
</ol><br />
<br />
<!--T:73--><br />
First image shows the default SSH settings and the second image shows the changes described above:<br />
[[File:Ssh Settings Default|thumb|Default SSH Settings]]<br />
[[File:Ssh Settings Changes|thumb|Changes to correct download and login issue]]<br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
In order to connect to our clusters with PyCharm, you must setup your [[SSH Keys]] before connecting.<br />
<br />
<!--T:65--><br />
When you connect to a remote host in PyCharm, enter your username and the host you want to connect to. You will then be asked to enter a "One time password" during the authentication process. At this stage, use either your YubiKey or your generated password in Duo, depending on what you have setup in your account.<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* [[#Cyberduck|Cyberduck]]<br />
* [[#FileZilla|FileZilla]]<br />
* JuiceSSH on Android<br />
* [[#MobaXTerm|MobaXTerm]]<br />
* [[#PuTTY|PuTTY]]<br />
* [[#PyCharm|PyCharm]]<br />
* Termius on iOS<br />
* VSCode<br />
* [[#WinSCP|WinSCP]]<br />
<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=151406Multifactor authentication2024-03-26T18:49:24Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:61--><br />
{{Warning|title=Multifactor authentication is becoming mandatory<br />
|content=We strongly encourage you to enable MFA for your account, as this will be required to access our clusters as of April 2024. <br />
<br />
<!--T:62--><br />
In order to get users enrolled progressively, we will institute periodic blackouts starting on February 6, 2024, which will gradually increase in scope until April of 2024. During these periods, users who have not enrolled into MFA will be unable to connect to certain clusters. The blackout periods are scheduled to occur on Tuesdays, between 12:00 PM and 4:00 PM ET. The clusters which will be subjected to blackouts are:<br />
<br />
<!--T:63--><br />
* Niagara: February 6 and 13<br />
* Niagara and Cedar: February 20 and 27<br />
* Niagara, Cedar and Graham: March 5 and 12<br />
* All clusters: March 19 and 26<br />
<br />
<!--T:64--><br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $67 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often (Linux and MacOS)=== <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required. [[https://docs.alliancecan.ca/wiki/Configuring_WSL_as_a_ControlMaster_relay_server|See the link below]]<br />
<br />
=== [[Configuring WSL as a ControlMaster relay server]] (Windows) === <!--T:67--><br />
Disclaimer: This is still and experimental procedure. Your feedback is welcome.<br />
<br />
<!--T:68--><br />
With this procedure you can leverage ControlMaster under WSL so you may login to the clusters with several apps under native Windows for a certain period without having to do MFA for every session.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Connections in FileZilla can only be configured to use either SSH keys or interactive prompts, not both. Since Niagara requires using SSH keys and an MFA prompt, using FileZilla is challenging. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to work around is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
==== Prompt on file transfer ==== <!--T:69--><br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
<br />
<!--T:66--><br />
In versions before 23.6, this behaviour can be improved by switching the SSH-browser type to "SCP (enhanced speed)" or "SCP (normal speed)".<br />
<br />
==== Use SSH key instead of password ==== <!--T:70--><br />
<br />
<!--T:71--><br />
With MobaXterm v24.0, to resolve the following issues (1) allow downloads and (2) use SSH passphrase instead of Digital Research Alliance of Canada password make the following changes to SSH settings (SSH tab in Settings dialogue):<br />
<br />
<!--T:72--><br />
<ol><br />
<li>Uncheck "GSSAPI Kerberos"</li><br />
<li>Uncheck "Use external Pageant"</li><br />
<li>Check "Use internal SSH agent "MobAgent""</li><br />
<li>Use the "+" button to select SSH key file.</li><br />
</ol><br />
<br />
<!--T:73--><br />
First image shows the default SSH settings and the second image shows the changes described above:<br />
[[File:Ssh Settings Default|thumb|Default SSH Settings]]<br />
[[File:Ssh Settings Changes|thumb|Changes to correct download and login issue]]<br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
In order to connect to our clusters with PyCharm, you must setup your [[SSH Keys]] before connecting.<br />
<br />
<!--T:65--><br />
When you connect to a remote host in PyCharm, enter your username and the host you want to connect to. You will then be asked to enter a "One time password" during the authentication process. At this stage, use either your YubiKey or your generated password in Duo, depending on what you have setup in your account.<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* [[#Cyberduck|Cyberduck]]<br />
* [[#FileZilla|FileZilla]]<br />
* JuiceSSH on Android<br />
* [[#MobaXTerm|MobaXTerm]]<br />
* [[#PuTTY|PuTTY]]<br />
* [[#PyCharm|PyCharm]]<br />
* Termius on iOS<br />
* VSCode<br />
* [[#WinSCP|WinSCP]]<br />
<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Torch&diff=151100Torch2024-03-20T15:18:33Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
{{Outdated}}<br />
<br />
<translate><br />
<!--T:1--><br />
[[Category:Software]][[Category:AI and Machine Learning]]<br />
"[http://torch.ch/ Torch] is a scientific computing framework with wide support for machine learning algorithms that puts GPUs first. It is easy to use and efficient, thanks to an easy and fast scripting language, LuaJIT, and an underlying C/CUDA implementation." <br />
<br />
<!--T:2--><br />
Torch has a distant relationship to PyTorch.<ref>See https://stackoverflow.com/questions/44371560/what-is-the-relationship-between-pytorch-and-torch, https://www.quora.com/What-are-the-differences-between-Torch-and-Pytorch, and https://discuss.pytorch.org/t/torch-autograd-vs-pytorch-autograd/1671/4 for some attempts to explain the connection.</ref> PyTorch provides a [[Python]] interface to software with similar functionality, but PyTorch is not dependent on Torch. See [[PyTorch]] for instructions on using it.<br />
<br />
<!--T:3--><br />
Torch depends on [[CUDA]]. In order to use Torch you must first load a CUDA module, like so:<br />
<br />
<!--T:4--><br />
{{Command|module load cuda torch}}<br />
<br />
== Installing Lua packages == <!--T:5--><br />
Torch comes with the Lua package manager, named [https://luarocks.org/ luarocks]. Run<br />
luarocks list<br />
to see a list of installed packages.<br />
<br />
<!--T:13--><br />
If you need some package which does not appear on the list, use the following to install it in your own folder: <br />
<br />
<!--T:6--><br />
{{Command|luarocks install --local --deps-mode{{=}}all <package name>}}<br />
<br />
<!--T:9--><br />
If after this installation you are having trouble finding the packages at runtime, then add the following command<ref> https://github.com/luarocks/luarocks/wiki/Using-LuaRocks#Rocks_trees_and_the_Lua_libraries_path </ref> right before running "lua your_program.lua"<br />
command:<br />
<br />
<!--T:10--><br />
eval $(luarocks path --bin)<br />
<br />
<!--T:11--><br />
By experience, we often find packages that do not install well with <tt>luarocks</tt>. If you have a package that is not installed in the default module and need help installing it, please contact our [[Technical support]].<br />
<br />
<!--T:12--><br />
<references /><br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication/fr&diff=151051Multifactor authentication/fr2024-03-13T17:16:49Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<br />
{{Warning|title=L'authentification multifacteur devient obligatoire<br />
|content=Nous vous encourageons fortement à configurer cette fonctionnalité dès que possible, car un deuxième facteur sera requis pour accéder à toutes nos grappes de calcul à compter d’avril 2024. <br />
<br />
Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16&nbsp;h (HE) pour vous connecter à&nbsp;:<br />
<br />
* Niagara, les 6 et 13 février<br />
* Niagara et Cedar, les 20 et 27 février<br />
* Niagara, Cedar et Graham, les 5 et 12 mars<br />
* toutes les grappes, les 19 et 26 mars<br />
<br />
Configurez votre compte au plus tôt afin de pouvoir accéder à tous nos services.<br />
}}<br />
<br />
L’authentification multifacteur permet de protéger votre compte avec plus qu’un simple mot de passe. Une fois que votre compte est configuré pour utiliser cette fonctionnalité, vous devrez entrer votre mot de passe comme d’habitude, mais en plus effectuer une deuxième action (le <i>deuxième facteur</i>), pour avoir accès à la plupart de nos services.<br />
<br />
Sélectionnez cette deuxième étape d’authentification parmi ces facteurs&nbsp;:<br />
*accepter une notification sur votre appareil intelligent dans l’application Duo Mobile;<br />
*entrer un code généré sur demande;<br />
*presser un bouton sur une clé matérielle (YubiKey).<br><br />
<br />
L’authentification multifacteur sera déployée graduellement. Cette fonctionnalité ne sera donc pas disponible immédiatement pour tous nos services.<br />
<br />
= Webinaires à voir =<br />
Ces deux webinaires ont été enregistrés en octobre 2023 : <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (en français)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (en anglais)<br />
<br />
= Enregistrement des facteurs =<br />
== Enregistrer plusieurs facteurs ==<br />
Lorsque vous activez l'authentification multifacteur pour votre compte, nous vous <b>recommandons fortement</b> d’enregistrer au moins deux options pour votre deuxième facteur. Vous pouvez par exemple vous servir de votre téléphone et de codes à usage unique; de votre téléphone et d’une clé YubiKey; ou encore de deux clés YubiKey. De cette façon, si une de ces options ne peut pas être employée, vous aurez un autre facteur pour accéder à votre compte.<br />
<br />
== Utiliser un téléphone ou une tablette ==<br />
<br />
#Installez l'application Duo Mobile à partir du [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] ou de [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Assurez-vous d'avoir la bonne application (voir l'icône ci-dessous). Les applications TOTP comme Aegis, Google Authenticator et Microsoft Authenticator <b>ne sont pas compatibles</b> avec Duo et ne peuvent pas balayer le code QR.<br />
#Connectez-vous à votre compte et cliquez sur <i>Mon compte → [https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
#Sous <i>Enregistrer un appareil</i>, cliquez sur <i>Duo Mobile</i>.<br />
#Entrez un nom pour identifier votre appareil. Cliquez sur <i>Continuer</i> pour faire afficher un code QR. <br />
#Dans l'application Duo Mobile, cliquez sur le signe <b>+</b> ou sur <i>Ajouter un compte</i>.<br />
#Touchez <i>Utiliser un code QR</i>.<br />
#Balayez le code QR qui est affiché dans CCDB. <b>Important : Pour balayer le code QR, votre appareil doit avoir accès à l'internet par wi-fi ou par réseau cellulaire.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Étape 1<br />
File:Duo-mobile-option.png|Étape 3<br />
File:Naming-duo-mobile-device.png|Étape 4<br />
File:Duo-mobile-add-account.png|Étape 5<br />
File:Duo-mobile-scan-qr-code.png|Étape 6<br />
File:Scanning-CCDB-QR-code.jpg|Étape 7<br />
</gallery><br />
<br />
== Utiliser une clé YubiKey ==<br />
Les YubiKey sont des clés matérielles produites par [https://www.yubico.com/ Yubico]. Si vous n'avez pas de téléphone intelligent ou de tablette, si vous ne voulez pas employer ces appareils pour l'authentification multifacteur, ou s'il vous est souvent impossible de les utiliser, une clé YubiKey 5 serait votre meilleur choix.<br />
<br />
<b>Notez que les modèles YubiKey qui ne supportent pas la fonction YubiKey OTP ne sont pas compatibles puisque cette fonction est nécessaire. Nous recommandons YubiKey, série 5, mais certains modèles moins récents pourraient fonctionner. Pour les détails, consultez [https://www.yubico.com/products/identifying-your-yubikey/]. </b><br />
<br />
De la taille d’une petite clé USB, les clés YubiKey 5 coûtent entre 50 et 100 dollars. Différents modèles sont compatibles avec les ports USB-A, USB-C et Lightning et certaines permettent la communication en champ proche (NFC) avec un téléphone ou une tablette.<br />
<br />
YubiKeys supporte plusieurs protocoles. Nos grappes utilisent Yubico OTP (<i>one-time password</i>). Une fois que votre clé est enregistrée à votre compte comme facteur d'authentification, quand vous tenterez de vous connecter à une de nos grappes, on vous demandera d'entrer un mot de passe à utilisation unique (OTP). Vous appuyez alors sur le bouton de la clé, ce qui génère une chaîne de 32 caractères qui forme un mot de passe à entrer. Vous n'avez pas besoin du clavier; la clé se connecte à votre ordinateur et entre elle-même la chaîne de 32 caractères quand vous touchez le bouton.<br />
<br />
Pour enregistrer votre YubiKey, entrez son identifiant public, son identifiant privé et sa clé secrète dans la page <i>[https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>. Si ces renseignements ne sont pas disponibles, configurez votre clé comme suit.<br />
<br />
=== Configurer votre YubiKey pour Yubico OTP ===<br />
<br />
# Téléchargez et installez YubiKey Manager à partir du [https://www.yubico.com/support/download/yubikey-manager/ site Web de Yubico].<br />
# Insérez la clé YubiKey et lancez YubiKey Manager.<br />
# Dans YubiKey Manager, cliquez sur <i>Applications</i> puis sur <i>OTP</i> (voir les images ci-dessous).<br />
# Vous pouvez ici configurer l'une de deux options. <i>Short Touch (Slot 1)</i> identifie une touche brève (de 1 à 2,5 secondes) et <i>Long Touch (Slot 2)</i> correspond à une touche plus longue (de 3 à 5 secondes). L'option numéro 1 est généralement préenregistrée pour Yubico Cloud. Si vous utilisez déjà cette option pour d'autres services, configurez plutôt l'option 2, ou cliquez sur <i>Swap</i> pour transférer la configuration de l'option 1 vers l'option 2, puis configurer l'option 1. <br />
# Sélectionnez <i>Yubico OTP</i>.<br />
# Sélectionnez <i>Use serial</i> pour générer un identifiant privé et une clé secrète. <b>Faites une copie des deux identifiants et de la clé secrète avant de cliquer sur <i>Finish</i> parce que vous en aurez besoin à la prochaine étape</b>. Gardez cette fenêtre ouverte.<br />
# <b>IMPORTANT: Assurez-vous d'avoir cliqué sur <i>Finish</i> à l'étape précédente.</b><br />
# Connectez-vous à la CCDB et cliquez sur <i>Mon compte → [https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i> pour entrer les données pour votre clé.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Étape 3<br />
File:Yubico Manager OTP configuration.png|Étape 4<br />
File:Select Yubico OTP.png|Étape 5<br />
File:Generate Yubikey IDs.png|Étapes 6 et 7<br />
CCDB Yubikeys.png|Étape 8<br />
</gallery><br />
<br />
= Authentification =<br />
== Pour vous connecter à une grappe via SSH == <br />
Si l'authentification multifacteur est activée pour votre compte et que vous vous connectez via SSH à une grappe qui supporte cette fonctionnalité, vous devez d’abord passer la première authentification avec votre mot de passe ou avec votre [[SSH Keys/fr|clé SSH]]. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):}}<br />
<br />
Vous pouvez maintenant indiquer le téléphone ou la tablette qui recevra une notification de la part de Duo. Si vous avez enregistré plusieurs appareils, une liste sera affichée, dans laquelle vous pouvez sélectionner l'appareil de votre choix. Vous n'avez qu'à accepter la notification pour confirmer votre deuxième authentification.<br />
<br />
Si vous utilisez une YubiKey ou un code préalablement sauvegardé, ou encore si vous préférez entrer le mot de passe unique valide pour une durée limitée que Duo Mobile affiche, ne sélectionnez pas une option, mais entrez le code, par exemple <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Passer outre occasionnellement à la deuxième authentification avec ControlMaster===<br />
Si vous vous connectez avec OpenSSH, vous pouvez configurer votre client SSH pour diminuer la fréquence à laquelle vous devez utiliser la deuxième authentification. Modifiez <code>.ssh/config</code> en ajoutant les lignes suivantes&nbsp;:<br />
<br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
Remplacez <code>HOSTNAME</code> par le hostname du serveur que vous voulez configurer. Ceci vous permettra d'ouvrir une première session SSH avec le premier et le deuxième facteur, mais les connexions SSH suivantes à partir du même appareil utiliseront la connexion de la première session (sans vous demander de vous authentifier), même si votre première session est récente.<br />
<br />
Sachez que le mécanisme multiplexeur de ControlMaster ne fonctionne pas sous Windows natif; dans ce cas vous aurez besoin du [https://learn.microsoft.com/fr-fr/windows/wsl/about sous-système Windows pour Linux].<br />
<br />
== Pour vous connecter à votre compte ==<br />
Si l'authentification multifacteur est activée pour votre compte, vous devez d’abord passer la première authentification avec votre nom d'utilisateur et votre mot de passe. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
<br><br />
(Remarque : <i>Ceci n'est pas la fenêtre finale</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuration de clients SSH courants =<br />
Les clients ligne de commande prennent généralement en charge l'authentification multifacteur sans plus de configuration. Par contre, ce n'est souvent pas le cas pour les clients graphiques. Vous trouverez ci-dessous des directives spécifiques à quelques-uns d’entre eux. <br />
<br />
== FileZilla == <br />
FileZilla demande le mot de passe et le deuxième facteur chaque fois qu'un transfert est initié puisque par défaut, les transferts utilisent des connexions distinctes qui sont automatiquement fermées après un certain temps d'inactivité.<br />
<br />
Pour ne pas avoir à saisir plusieurs fois le mot de passe et le deuxième facteur, vous pouvez limiter le nombre de connexions à chaque site à «&nbsp;1&nbsp;» dans <i>Site Manager => Paramètres de transfert</i>; prenez note que vous perdrez ainsi la possibilité de parcourir le serveur lors des transferts.<br />
<br />
# Lancez FileZilla et sélectionnez <i>Gestionnaire de Sites</i>.<br />
# Dans <i>Gestionnaire de Sites</i>, modifiez un site existant ou créez un nouveau site.<br />
# Sous l'onglet <i>Général</i>, entrez les choix suivants&nbsp;:<br />
#* <i>Protocole : SFTP – SSH File Transfer Protocol</i><br />
#* <i>Hôte :</i> [nom de l'hôte pour la grappe de connexion]<br />
#* <i>Type d'authentification : Interactive</i><br />
#* <i>Identifiant :</i> [votre nom d'utilisateur]<br />
# Sous l'onglet <i>Paramètres de transfert</i>&nbsp;:<br />
#* cochez la case <i>Limiter le nombre de connexions simultanées</i> <br />
#* <i>Nombre maximum de connexions : 1</i><br />
# Cliquez sur <i>OK</i> pour sauvegarder la connexion.<br />
# Testez la connexion.<br />
<br />
=== Niagara, un cas particulier ===<br />
FileZilla peut être configuré pour utiliser une clé SSH ou une invite interactive, mais non les deux à la fois. Puisqu’une clé SSH et un second facteur sont nécessaires pour se connecter à Niagara, ceci pose un problème. Nous vous recommandons d'utiliser un client SCP qui supporte mieux les invites interactives, ou encore<br />
<br />
# connectez-vous quand même avec une clé SSH; l'invite interactive fera échouer la connexion, mais FileZilla se souviendra de la clé;<br />
# modifiez ensuite la méthode de connexion pour une connexion interactive et connectez-vous de nouveau; l'invite pour votre deuxième facteur sera alors fonctionnelle.<br />
<br />
== MobaXTerm == <br />
Installez la version 23.1 ou une version plus récente.<br />
<br />
En se connectant à un serveur distant, MobaXTerm établit par défaut deux connexions&nbsp;: une première pour le terminal et une seconde pour naviguer dans les fichiers à distance. Puisque le navigateur utilise par défaut le <i>protocole SFTP</i>, votre deuxième facteur d'authentification vous est demandé une seconde fois.<br />
<br />
Avec les versions antérieures à 23.6, ce comportement peut être amélioré en changeant le type du navigateur SSH de <i>SCP (enhanced speed)</i> à <i>SCP (normal speed)</i>.<br />
<br />
== PuTTY ==<br />
Installez la version 0.72 ou une version plus récente. <br />
<br />
== WinSCP == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]]. <br />
<br />
== PyCharm == <br />
Vous devez configurer vos [[SSH Keys/fr|clés SSH]] avant de vous connecter à nos grappes avec PyCharm.<br />
<br />
Quand vous vous connectez à un hôte distant, entrez votre nom d'utilisateur et le nom de l'hôte auquel vous voulez vous connecter. Vous devez ensuite entrer un mot de passe à usage unique (<i> One-time password</i>) pour vous authentifier. Dépendant de comment votre compte est configuré, utilisez votre YubyiKey ou le mot de passe généré dans Duo.<br />
<br />
== Cyberduck ==<br />
Par défaut, Cyberduck ouvre une nouvelle connexion pour chaque transfert de fichier et vous demande chaque fois votre deuxième facteur. Pour modifier ceci, utilisez les préférences, sous <i>Transferts</i>, onglet <i>Général</i> et dans le menu déroulant de <i>Transférer des fichiers</i>, sélectionnez <i>Utiliser la connexion du navigateur</i>.<br />
<br />
Assurez-vous de ne pas cocher la case pour <i>Téléchargements segmentés avec plusieurs connexions par fichier</i>.<br />
<br />
[[File:CyberduckFRN.png|400px|Configuration pour l'authentification multifacteur]]<br />
<br />
= Foire aux questions =<br />
== Est-ce que je peux utiliser Authy ou l'authentification par Google ou Microsoft? ==<br />
Non, vous devez utiliser Duo Mobile.<br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent et je ne veux pas acheter une YubiKey ==<br />
Malheureusement, vous ne pourrez pas utiliser nos services quand l'authentification multifacteur sera obligatoire, ce qui est une exigence des organismes qui accordent du financement à l'Alliance. Une clé YubiKey est le moyen le plus économique de vous authentifier et compte parmi le matériel qui est généralement financé dans le cadre des projets de recherche.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique via SMS? ==<br />
Nous devrions alors assumer les frais d'envoi, ce que nous ne pouvons pas faire. Aussi, cette méthode n'est pas à toute épreuve selon l'opinion de la plupart des spécialistes en sécurité.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique par courriel? ==<br />
Non, ceci n'est pas supporté par Duo.<br />
<br />
== J'ai un vieux téléphone Android et je ne trouve pas l'application Duo Mobile dans Google Play. Est-ce que je peux quand même utiliser Duo? ==<br />
Oui, mais il faudra télécharger l'application du site Web de Duo :<br />
<br />
* Pour Android 8 et 9, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* Pour Android 10, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
Pour validation, les sommes de hachage [https://duo.com/docs/checksums#duo-mobile SHA-256 officielles sont listées ici].<br />
<br />
Pour les instructions d'installation, [https://help.duo.com/s/article/2211?language=en_US voir les détails ici].<br />
<br />
== Je veux désactiver l'authentification multifacteur. Comment dois-je procéder? ==<br />
Cette fonctionnalité sera sous peu obligatoire et elle ne peut pas être désactivée. Nous accordons des exceptions uniquement dans le cas de processus automatisés. Si l'authentification multifacteur vous dérange, nous vous suggérons d'employer une des configurations décrites ci-dessus, selon le client SSH que vous utilisez. Vous trouverez d'autres suggestions dans [[Multifactor_authentication/fr#Webinaires_à_voir|ces webinaires]]. <br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent assez récent. Comment puis-je utiliser l'authentification multifacteur? ==<br />
Vous pouvez [[Multifactor authentication/fr#Pour_utiliser_une_clé_YubiKey|utiliser une clé YubiKey]].<br />
<br />
== J’ai perdu un appareil que j’utilisais comme deuxième facteur. Que puis-je faire? ==<br />
* Si vous avez configuré plusieurs appareils ou si vous avez généré des codes de contournement, utilisez cette autre méthode pour [https://ccdb.alliancecan.ca/multi_factor_authentications accéder à votre compte]. Dans la liste des appareils enregistrés, supprimez celui que vous avez perdu et enregistrez le nouvel appareil.<br />
* Si vous n’avez sauvegardé aucun code de contournement et que vous n’avez plus aucun des appareils que vous avez configurés, copiez la liste suivante et ajoutez-y le plus de détails possible. Faites parvenir cette information à support@tech.alliancecan.ca. <br />
<br />
Quelle est l’adresse de courriel principale enregistrée dans votre compte?<br />
Depuis combien de temps détenez-vous un compte actif avec nous?<br />
Quel est votre champ de recherche?<br />
Quelle est votre adresse IP? (pour connaître votre adresse IP, [https://whatismyipaddress.com/ cliquez sur ce lien])<br />
Quel est le nom de la chercheuse principale ou du chercheur principal qui vous parraine?<br />
Qui sont les membres de votre groupe?<br />
Avec qui pouvons-nous communiquer au sujet de votre demande?<br />
Quelles sont les grappes que vous utilisez le plus?<br />
Quels sont les modules que vous chargez le plus souvent?<br />
À quand remonte la dernière tâche que vous avez soumise?<br />
Mentionnez les identifiants de certaines de vos tâches les plus récentes.<br />
Décrivez les sujets et donnez les identifiants de vos plus récentes demandes de soutien technique.<br />
<br />
== Quels sont les clients SSH qu'on peut utiliser quand l'authentification multifacteur est configurée? ==<br />
* La plupart des clients SSH en ligne de commande, tels que ceux disponibles sur Linux ou Mac OS<br />
* [[Multifactor authentication/fr#Cyberduck|Cyberduck]]<br />
* [[Multifactor authentication/fr#FileZilla|FileZilla]]<br />
* JuiceSSH on Android<br />
* [[Multifactor authentication/fr#MobaXTerm|MobaXTerm]]<br />
* [[Multifactor authentication/fr#PuTTY|PuTTY]]<br />
* [[Multifactor authentication/fr#PyCharm|PyCharm]]<br />
* Termius on iOS<br />
* VSCode<br />
* [[Multifactor authentication/fr#WinSCP|WinSCP]]<br />
<br />
<br />
== J'ai besoin de connexions SSH qui se font automatiquement aux grappes à partir de mon compte; est-ce que je peux utiliser l'authentification multifacteur? ==<br />
Nous préparons actuellement des nœuds de connexion qui seront réservés aux processus automatisés. Pour plus d'information, voir [[Automation_in_the_context_of_multifactor_authentication/fr|Flux de travail automatisés et authentification multifacteur]].<br />
<br />
== Message <i>Access denied. Duo Security does not provide services in your current location</i> ==<br />
Ceci est dû au fait que Duo est un produit des États-Unis (voir [https://help.duo.com/s/article/7544?language=en_US Duo help]). Pour contourner ceci, vous devez utiliser une connexion VPN et faire comme si vous étiez d'un pays à partir duquel l'accès est permis.<br />
<br />
= Fonctions avancées =<br />
== Configurer votre YubiKey pour Yubico OTP via la ligne de commande (<code>ykman</code>)==<br />
# Installez le logiciel de ligne de commande YubiKey Manager (<code>ykman</code>) en suivant les directives pour votre système d'exploitation dans le [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman guide ykman].<br />
# Entrez votre YubiKey et prenez connaissance de l'information sur la clé avec la commande <code>ykman info</code>.<br />
# Prenez connaissance de l'information sur OTP avec la commande <code>ykman otp info</code>.<br />
# Choisissez entre Slot 1 et Slot 2 et lancez la commande <code>ykman otp yubiotp</code> pour programmer l'option.<br />
# <b>Dans un endroit sécuritaire, conservez une copie de l’identifiant public, l’identifiant privé et la clé secrète; ils seront nécessaires à la prochaine étape.</b><br />
# Connectez-vous à la CCDB pour enregistrer votre clé dans la page <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
<br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Multifactor_authentication/58/fr&diff=151050Translations:Multifactor authentication/58/fr2024-03-13T17:16:21Z<p>Mboisson: </p>
<hr />
<div>== J'ai un vieux téléphone Android et je ne trouve pas l'application Duo Mobile dans Google Play. Est-ce que je peux quand même utiliser Duo? ==<br />
Oui, mais il faudra télécharger l'application du site Web de Duo :</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=150945Automation in the context of multifactor authentication2024-03-07T20:17:02Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
{{Warning|title=Warning|content=<br />
The restrictions must be added directly as text in front of your key, before uploading the complete string in [https://ccdb.alliancecan.ca/ssh_authorized_keys your account]. <br />
}}<br />
<br />
= Automation nodes for each cluster = <!--T:13--><br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: robot.graham.alliancecan.ca<br />
* Béluga: robot.beluga.alliancecan.ca<br />
* Narval: robot.narval.alliancecan.ca<br />
* Niagara: robot.niagara.alliancecan.ca<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
<!--T:14--><br />
It's often much more convenient to put these parameters into your ~/.ssh/config file, so it gets picked up by any ssh client invocation. For instance:<br />
host robot<br />
hostname robot.cluster.alliancecan.ca<br />
user myrobot<br />
identityfile ~/.ssh/my-robot-key<br />
identitiesonly yes<br />
requesttty no<br />
<br />
<!--T:15--><br />
this means that the following kinds of commands will do what you want:<br />
{{Command|ssh robot /usr/bin/ls}}<br />
{{Command|rsync -a datadir/a robot:scratch/testdata}}<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication/fr&diff=150944Automation in the context of multifactor authentication/fr2024-03-06T18:26:01Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
Les flux de travail qui établissent sans intervention humaine des connexions à nos grappes ne peuvent pas utiliser un deuxième facteur. Avec l'authentification multifacteur obligatoire, vous devez demander l'accès à un des nœuds spéciaux qui sont réservés pour les flux automatisés. Un deuxième facteur ne sera pas requis, mais sachez que les fonctionnalités de ces nœuds sont limitées par rapport à celles des nœuds de connexion réguliers en termes de type d'authentification requise et aussi des types d'actions à exécuter.<br />
<br />
= Mesures de sécurité accrues =<br />
== Accès sur demande seulement ==<br />
Pour avoir accès aux nœuds spéciaux d'automatisation, écrivez au [[Technical support/fr|soutien technique]]. Décrivez le type d'automatisation, listez les commandes qui seront exécutées ainsi que les outils ou les bibliothèques pour gérer l'automatisation.<br />
<br />
== Accès via certaines clés SSH ==<br />
L'accès aux nœuds d'automatisation se fait uniquement via les [[SSH_Keys#Using_CCDB|clés SSH téléversées dans CCDB]]. Les clés inscrites dans un fichier <i>.ssh/authorized_keys</i> ne sont pas acceptées. De plus, les clés SSH <b>doivent respecter</b> les contraintes suivantes. <br />
<br />
=== <code>restrict</code> ===<br />
Cette contrainte désactive la redirection de port (<i>port forwarding</i>), la redirection d'agent (<i>agent forwarding</i>) et la redirection X11. Le pseudo télétype (PTY) est aussi désactivé, puisqu'il bloquerait la plupart des flux interactifs. Nous posons ces conditions parce que les nœuds spéciaux ne doivent pas être utilisés pour les processus interactifs ou de longue durée; dans ces cas, il faut utiliser les nœuds réguliers. <br />
<br />
=== <code>from="pattern-list"</code> ===<br />
Cette contrainte fait en sorte que la clé ne peut être utilisée qu'à partir d'adresses IP qui respectent le <i>pattern</i> et non par d'autres ordinateurs. La liste des <i>patterns</i> doit être uniquement composée d'adresses IP qui spécifient la classe du réseau, le réseau et le sous-réseau, soit les trois premières parties d'une adresse IP. Par exemple, <code>192.168.*.*</code> ne serait pas acceptée, mais <code>192.168.1.*</code> serait valide. <br />
<br />
=== <code>command="COMMAND"</code> ===<br />
Cette contrainte exécute la commande <code>COMMAND</code> lors de la connexion. Ceci vous permet de définir les seules commandes qui peuvent être utilisées avec la clé. <br />
<br />
== Scripts enveloppants pour la commande <code>command=</code> ==<br />
Cette commande permet de définir toutes les commandes, mais elle est le plus utile quand vous avez un script enveloppant qui accepte ou refuse les commandes qui sont appelées. Vous pouvez écrire vos propres scripts, mais nous en avons préparé certains pour des cas qui se présentent fréquemment. Ces scripts se trouvent dans [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands ce dépôt git].<br />
<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> permet uniquement les commandes de transfert de fichiers, comme <code>scp</code>, <code>sftp</code> ou <code>rsync</code><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> permet les commmandes d'archivage de fichiers, comme <code>gzip</code>, <code>tar</code> ou <code>dar</code><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> permet la commande de manipulation de fichiers, comme <code>mv</code>, <code>cp</code> ou <code>rm</code><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> permet la commande <code>git</code><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> permet certaines commandes Slurm, comme <code>squeue</code>, <code>sbatch</code><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> permet toutes les commandes ci-dessus<br />
<br />
== Exemples de clés SSH acceptées ==<br />
Les clés doivent respecter les trois conditions décrites ci-dessus. En voici quelques exemples qui seraient valides pour le transfert de fichiers avec <code>scp</code>, <code>sftp</code> ou <code>rsync</code>&nbsp;: <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
Le prochain exemple permettrait uniquement des commandes Slurm (squeue, scancel, sbatch, scontrol, sq). <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Nœuds d'automatisation, par grappe =<br />
Pour vous connecter à un nœud d'automatisation, utilisez les adresses suivantes&nbsp;:<br />
* Cedar : robot.cedar.alliancecan.ca<br />
* Graham : robot.graham.alliancecan.ca<br />
* Béluga : robot.beluga.alliancecan.ca<br />
* Narval : robot.narval.alliancecan.ca<br />
* Niagara : robot.niagara.alliancecan.ca<br />
<br />
= Ne pas se tromper de clé =<br />
Si vous avez plusieurs clés, assurez-vous d'utiliser la bonne. Ceci peut se faire avec des paramètres passés à la commande, comme dans les exemples ci-dessous. <br />
<br />
Avec <code>ssh</code> ou <code>scp</code>,<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
Avec <code>rsync</code>, <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
Il est souvent beaucoup plus pratique d'inclure ces paramètres dans votre fichier ~/.ssh/config pour qu'ils soient pris en compte quand le client SSH est invoqué. Par exemple :<br />
host robot<br />
hostname robot.cluster.alliancecan.ca<br />
user myrobot<br />
identityfile ~/.ssh/my-robot-key<br />
identitiesonly yes<br />
requesttty no<br />
<br />
Ceci signifie que les deux types de commandes suivantes feront ce que vous voulez.<br />
{{Command|ssh robot /usr/bin/ls}}<br />
{{Command|rsync -a datadir/a robot:scratch/testdata}}</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Automation_in_the_context_of_multifactor_authentication/13/fr&diff=150943Translations:Automation in the context of multifactor authentication/13/fr2024-03-06T18:26:01Z<p>Mboisson: </p>
<hr />
<div>= Nœuds d'automatisation, par grappe =<br />
Pour vous connecter à un nœud d'automatisation, utilisez les adresses suivantes&nbsp;:<br />
* Cedar : robot.cedar.alliancecan.ca<br />
* Graham : robot.graham.alliancecan.ca<br />
* Béluga : robot.beluga.alliancecan.ca<br />
* Narval : robot.narval.alliancecan.ca<br />
* Niagara : robot.niagara.alliancecan.ca</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=150939Automation in the context of multifactor authentication2024-03-06T18:25:16Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Automation nodes for each cluster = <!--T:13--><br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: robot.graham.alliancecan.ca<br />
* Béluga: robot.beluga.alliancecan.ca<br />
* Narval: robot.narval.alliancecan.ca<br />
* Niagara: robot.niagara.alliancecan.ca<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
<!--T:14--><br />
It's often much more convenient to put these parameters into your ~/.ssh/config file, so it gets picked up by any ssh client invocation. For instance:<br />
host robot<br />
hostname robot.cluster.alliancecan.ca<br />
user myrobot<br />
identityfile ~/.ssh/my-robot-key<br />
identitiesonly yes<br />
requesttty no<br />
<br />
<!--T:15--><br />
this means that the following kinds of commands will do what you want:<br />
{{Command|ssh robot /usr/bin/ls}}<br />
{{Command|rsync -a datadir/a robot:scratch/testdata}}<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=150741Automation in the context of multifactor authentication2024-03-01T17:58:27Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Automation nodes for each cluster = <!--T:13--><br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: robot.graham.alliancecan.ca<br />
* Béluga: not available yet<br />
* Narval: not available yet<br />
* Niagara: robot.niagara.alliancecan.ca<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Infrastructure_for_Research_Data_Management&diff=150449Infrastructure for Research Data Management2024-02-23T18:30:17Z<p>Mboisson: </p>
<hr />
<div>{{Draft}}<br />
<br />
Welcome to the complete guide to managing research data on our cloud platform! <br />
<br />
This page has been specially written to provide users with a detailed and accessible reference on how to optimize the management of their research data in our cloud environment.<br />
<br />
Whether you're a researcher, scientist, student or professional working with research data, this guide aims to make your experience easier by providing clear information and practical advice.<br />
<br />
Browse the different sections dedicated to data security, real-time collaboration, analytics integration and much more. Whether you're using our platform for the first time, or are an experienced user looking to deepen your knowledge, this guide is designed to meet your needs, step by step.<br />
<br />
= Navigation and Configuration =<br />
<br />
Before we dive into the details, let's take a moment to explore the fundamentals that will help you navigate and configure your cloud platform experience.<br />
<br />
== Environment discovery ==<br />
<br />
We supply one aggregate per research team's primary investigator.<br />
<br />
This aggregate includes 4 virtual machines (1 for application containers and 3 for the database aggregate) using standard Ubuntu 22.04 LTS images.<br />
<br />
Research Teams can use:<br />
<br />
* '''OpenID Hub''': for authentication and authorization<br />
* '''Mattermost''': for group messaging<br />
* '''Nextcloud''': for file sharing and synchronization<br />
<br />
Each application is accessible from a sub-domain dedicated to the research team:<br />
<br />
* '''OpenID Hub''' on ''research_team_name''.idp.cirst.ca<br />
* '''Mattermost''' on ''research_team_name''.chat.cirst.ca<br />
* '''Nextcloud''' on ''research_team_name''.cloud.cirst.ca<br />
<br />
Note that ''research_team_name'' must be replaced by the name of the research team selected during enrolment.<br />
<br />
= Identity and Authentication =<br />
<br />
This crucial part of our guide highlights the identity provider software, called [https://pypi.org/project/oidc-hub OpenID Hub] an essential piece for inviting members to join your team while ensuring exclusive access to Nextcloud and Mattermost applications for authorized members only.<br />
<br />
== Identity Provider ==<br />
<br />
The tool provides you with [https://en.wikipedia.org/wiki/KISS%20principle KISS] user management and [https://en.wikipedia.org/wiki/Role-based%20access%20control role-based access control] that includes invitations for new members to join the team, secure password management and recovery.<br />
<br />
== Authentication and Account Management ==<br />
<br />
= Instant Messaging =<br />
== Introduction and Usage ==<br />
<br />
= File Management =<br />
== Introduction and Usage ==<br />
== Data Storage and Organization ==<br />
== Sharing and Collaborative Features ==<br />
<br />
= Troubleshooting =<br />
== Technical problems ==<br />
== Support and Resources ==<br />
<br />
= Updates and New Features =<br />
== Update Tracking ==<br />
== Discover New Features ==</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication/fr&diff=150162Multifactor authentication/fr2024-02-15T15:17:09Z<p>Mboisson: Created page with "Configurez votre compte au plus tôt afin de pouvoir accéder à tous nos services. }}"</p>
<hr />
<div><languages /><br />
<br />
<br />
{{Warning|title=L'authentification multifacteur devient obligatoire<br />
|content=Nous vous encourageons fortement à configurer cette fonctionnalité dès que possible, car un deuxième facteur sera requis pour accéder à toutes nos grappes de calcul à compter d’avril 2024. <br />
<br />
Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16 h (HE) pour vous connecter à :<br />
<br />
* Niagara, les 6 et 13 février<br />
* Niagara et Cedar, les 20 et 27 février<br />
* Niagara, Cedar et Graham, les 5 et 12 mars<br />
* toutes les grappes, les 19 et 26 mars<br />
<br />
Configurez votre compte au plus tôt afin de pouvoir accéder à tous nos services.<br />
}}<br />
<br />
L’authentification multifacteur permet de protéger votre compte avec plus qu’un simple mot de passe. Une fois que votre compte est configuré pour utiliser cette fonctionnalité, vous devrez entrer votre mot de passe comme d’habitude, mais en plus effectuer une deuxième action (le <i>deuxième facteur</i>), pour avoir accès à la plupart de nos services.<br />
<br />
Sélectionnez cette deuxième étape d’authentification parmi ces facteurs&nbsp;:<br />
*accepter une notification sur votre appareil intelligent dans l’application Duo Mobile;<br />
*entrer un code généré sur demande;<br />
*presser un bouton sur une clé matérielle (YubiKey).<br><br />
<br />
L’authentification multifacteur sera déployée graduellement. Cette fonctionnalité ne sera donc pas disponible immédiatement pour tous nos services.<br />
<br />
= Webinaires à voir =<br />
Ces deux webinaires ont été enregistrés en octobre 2023 : <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (en français)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (en anglais)<br />
<br />
= Enregistrement des facteurs =<br />
== Enregistrer plusieurs facteurs ==<br />
Lorsque vous activez l'authentification multifacteur pour votre compte, nous vous <b>recommandons fortement</b> d’enregistrer au moins deux options pour votre deuxième facteur. Vous pouvez par exemple vous servir de votre téléphone et de codes à usage unique; de votre téléphone et d’une clé YubiKey; ou encore de deux clés YubiKey. De cette façon, si une de ces options ne peut pas être employée, vous aurez un autre facteur pour accéder à votre compte.<br />
<br />
== Utiliser un téléphone ou une tablette ==<br />
<br />
#Installez l'application Duo Mobile à partir du [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] ou de [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Assurez-vous d'avoir la bonne application (voir l'icône ci-dessous). Les applications TOTP comme Aegis, Google Authenticator et Microsoft Authenticator <b>ne sont pas compatibles</b> avec Duo et ne peuvent pas balayer le code QR.<br />
#Connectez-vous à votre compte et cliquez sur <i>Mon compte → [https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
#Sous <i>Enregistrer un appareil</i>, cliquez sur <i>Duo Mobile</i>.<br />
#Entrez un nom pour identifier votre appareil. Cliquez sur <i>Continuer</i> pour faire afficher un code QR. <br />
#Dans l'application Duo Mobile, cliquez sur le signe <b>+</b> ou sur <i>Ajouter un compte</i>.<br />
#Touchez <i>Utiliser un code QR</i>.<br />
#Balayez le code QR qui est affiché dans CCDB. <b>Important : Pour balayer le code QR, votre appareil doit avoir accès à l'internet par wi-fi ou par réseau cellulaire.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Étape 1<br />
File:Duo-mobile-option.png|Étape 3<br />
File:Naming-duo-mobile-device.png|Étape 4<br />
File:Duo-mobile-add-account.png|Étape 5<br />
File:Duo-mobile-scan-qr-code.png|Étape 6<br />
File:Scanning-CCDB-QR-code.jpg|Étape 7<br />
</gallery><br />
<br />
== Utiliser une clé YubiKey ==<br />
Les YubiKey sont des clés matérielles produites par [https://www.yubico.com/ Yubico]. Si vous n'avez pas de téléphone intelligent ou de tablette, si vous ne voulez pas employer ces appareils pour l'authentification multifacteur, ou s'il vous est souvent impossible de les utiliser, une clé YubiKey 5 serait votre meilleur choix.<br />
<br />
<b>Notez que les modèles YubiKey qui ne supportent pas la fonction YubiKey OTP ne sont pas compatibles puisque cette fonction est nécessaire. Nous recommandons YubiKey, série 5, mais certains modèles moins récents pourraient fonctionner. Pour les détails, consultez [https://www.yubico.com/products/identifying-your-yubikey/]. </b><br />
<br />
De la taille d’une petite clé USB, les clés YubiKey 5 coûtent entre 50 et 100 dollars. Différents modèles sont compatibles avec les ports USB-A, USB-C et Lightning et certaines permettent la communication en champ proche (NFC) avec un téléphone ou une tablette.<br />
<br />
YubiKeys supporte plusieurs protocoles. Nos grappes utilisent Yubico OTP (<i>one-time password</i>). Une fois que votre clé est enregistrée à votre compte comme facteur d'authentification, quand vous tenterez de vous connecter à une de nos grappes, on vous demandera d'entrer un mot de passe à utilisation unique (OTP). Vous appuyez alors sur le bouton de la clé, ce qui génère une chaîne de 32 caractères qui forme un mot de passe à entrer. Vous n'avez pas besoin du clavier; la clé se connecte à votre ordinateur et entre elle-même la chaîne de 32 caractères quand vous touchez le bouton.<br />
<br />
Pour enregistrer votre YubiKey, entrez son identifiant public, son identifiant privé et sa clé secrète dans la page <i>[https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>. Si ces renseignements ne sont pas disponibles, configurez votre clé comme suit.<br />
<br />
=== Configurer votre YubiKey pour Yubico OTP ===<br />
<br />
# Téléchargez et installez YubiKey Manager à partir du [https://www.yubico.com/support/download/yubikey-manager/ site Web de Yubico].<br />
# Insérez la clé YubiKey et lancez YubiKey Manager.<br />
# Dans YubiKey Manager, cliquez sur <i>Applications</i> puis sur <i>OTP</i> (voir les images ci-dessous).<br />
# Vous pouvez ici configurer l'une de deux options. <i>Short Touch (Slot 1)</i> identifie une touche brève (de 1 à 2,5 secondes) et <i>Long Touch (Slot 2)</i> correspond à une touche plus longue (de 3 à 5 secondes). L'option numéro 1 est généralement préenregistrée pour Yubico Cloud. Si vous utilisez déjà cette option pour d'autres services, configurez plutôt l'option 2, ou cliquez sur <i>Swap</i> pour transférer la configuration de l'option 1 vers l'option 2, puis configurer l'option 1. <br />
# Sélectionnez <i>Yubico OTP</i>.<br />
# Sélectionnez <i>Use serial</i> pour générer un identifiant privé et une clé secrète. <b>Faites une copie des deux identifiants et de la clé secrète avant de cliquer sur <i>Finish</i> parce que vous en aurez besoin à la prochaine étape</b>. Gardez cette fenêtre ouverte.<br />
# <b>IMPORTANT: Assurez-vous d'avoir cliqué sur <i>Finish</i> à l'étape précédente.</b><br />
# Connectez-vous à la CCDB et cliquez sur <i>Mon compte → [https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i> pour entrer les données pour votre clé.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Étape 3<br />
File:Yubico Manager OTP configuration.png|Étape 4<br />
File:Select Yubico OTP.png|Étape 5<br />
File:Generate Yubikey IDs.png|Étapes 6 et 7<br />
CCDB Yubikeys.png|Étape 8<br />
</gallery><br />
<br />
= Authentification =<br />
== Pour vous connecter à une grappe via SSH == <br />
Si l'authentification multifacteur est activée pour votre compte et que vous vous connectez via SSH à une grappe qui supporte cette fonctionnalité, vous devez d’abord passer la première authentification avec votre mot de passe ou avec votre [[SSH Keys/fr|clé SSH]]. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):}}<br />
<br />
Vous pouvez maintenant indiquer le téléphone ou la tablette qui recevra une notification de la part de Duo. Si vous avez enregistré plusieurs appareils, une liste sera affichée, dans laquelle vous pouvez sélectionner l'appareil de votre choix. Vous n'avez qu'à accepter la notification pour confirmer votre deuxième authentification.<br />
<br />
Si vous utilisez une YubiKey ou un code préalablement sauvegardé, ou encore si vous préférez entrer le mot de passe unique valide pour une durée limitée que Duo Mobile affiche, ne sélectionnez pas une option, mais entrez le code, par exemple <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Passer outre occasionnellement à la deuxième authentification avec ControlMaster===<br />
Si vous vous connectez avec OpenSSH, vous pouvez configurer votre client SSH pour diminuer la fréquence à laquelle vous devez utiliser la deuxième authentification. Modifiez <code>.ssh/config</code> en ajoutant les lignes suivantes&nbsp;:<br />
<br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
Remplacez <code>HOSTNAME</code> par le hostname du serveur que vous voulez configurer. Ceci vous permettra d'ouvrir une première session SSH avec le premier et le deuxième facteur, mais les connexions SSH suivantes à partir du même appareil utiliseront la connexion de la première session (sans vous demander de vous authentifier), même si votre première session est récente.<br />
<br />
Sachez que le mécanisme multiplexeur de ControlMaster ne fonctionne pas sous Windows natif; dans ce cas vous aurez besoin du [https://learn.microsoft.com/fr-fr/windows/wsl/about sous-système Windows pour Linux].<br />
<br />
== Pour vous connecter à votre compte ==<br />
Si l'authentification multifacteur est activée pour votre compte, vous devez d’abord passer la première authentification avec votre nom d'utilisateur et votre mot de passe. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
<br><br />
(Remarque : <i>Ceci n'est pas la fenêtre finale</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuration de clients SSH courants =<br />
Les clients ligne de commande prennent généralement en charge l'authentification multifacteur sans plus de configuration. Par contre, ce n'est souvent pas le cas pour les clients graphiques. Vous trouverez ci-dessous des directives spécifiques à quelques-uns d’entre eux. <br />
<br />
== FileZilla == <br />
FileZilla demande le mot de passe et le deuxième facteur chaque fois qu'un transfert est initié puisque par défaut, les transferts utilisent des connexions distinctes qui sont automatiquement fermées après un certain temps d'inactivité.<br />
<br />
Pour ne pas avoir à saisir plusieurs fois le mot de passe et le deuxième facteur, vous pouvez limiter le nombre de connexions à chaque site à «&nbsp;1&nbsp;» dans <i>Site Manager => Paramètres de transfert</i>; prenez note que vous perdrez ainsi la possibilité de parcourir le serveur lors des transferts.<br />
<br />
# Lancez FileZilla et sélectionnez <i>Gestionnaire de Sites</i>.<br />
# Dans <i>Gestionnaire de Sites</i>, modifiez un site existant ou créez un nouveau site.<br />
# Sous l'onglet <i>Général</i>, entrez les choix suivants&nbsp;:<br />
#* <i>Protocole : SFTP – SSH File Transfer Protocol</i><br />
#* <i>Hôte :</i> [nom de l'hôte pour la grappe de connexion]<br />
#* <i>Type d'authentification : Interactive</i><br />
#* <i>Identifiant :</i> [votre nom d'utilisateur]<br />
# Sous l'onglet <i>Paramètres de transfert</i>&nbsp;:<br />
#* cochez la case <i>Limiter le nombre de connexions simultanées</i> <br />
#* <i>Nombre maximum de connexions : 1</i><br />
# Cliquez sur <i>OK</i> pour sauvegarder la connexion.<br />
# Testez la connexion.<br />
<br />
<div lang="en" dir="ltr" class="mw-content-ltr"><br />
=== Niagara special case ===<br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
</div><br />
<br />
<div lang="en" dir="ltr" class="mw-content-ltr"><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
</div><br />
<br />
== MobaXTerm == <br />
Installez la version 23.1 ou une version plus récente.<br />
<br />
Pour rejoindre un serveur distant, MobaXTerm établit par défaut deux connexions&nbsp;: une première pour le terminal et une seconde pour naviguer dans les fichiers à distance. Puisque le navigateur utilise par défaut le <i>protocole SFTP</i>, votre deuxième facteur d'authentification vous est demandé une seconde fois. Pour éviter ceci, dans l'éditeur SSH, sous l'onglet <i>SSH-browser type</i>, sélectionnez <i>SCP (enhanced speed)</i> ou <i>SCP (normal speed)</i>.<br />
<br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<br />
== PuTTY ==<br />
Installez la version 0.72 ou une version plus récente. <br />
<br />
== WinSCP == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]]. <br />
<br />
== PyCharm == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]].<br />
<br />
== Cyberduck ==<br />
Par défaut, Cyberduck ouvre une nouvelle connexion pour chaque transfert de fichier et vous demande chaque fois votre deuxième facteur. Pour modifier ceci, utilisez les préférences, sous <i>Transferts</i>, onglet <i>Général</i> et dans le menu déroulant de <i>Transférer des fichiers</i>, sélectionnez <i>Utiliser la connexion du navigateur</i>.<br />
<br />
Assurez-vous de ne pas cocher la case pour <i>Téléchargements segmentés avec plusieurs connexions par fichier</i>.<br />
<br />
[[File:CyberduckFRN.png|400px|Configuration pour l'authentification multifacteur]]<br />
<br />
= Foire aux questions =<br />
== Est-ce que je peux utiliser Authy ou l'authentification par Google ou Microsoft? ==<br />
Non, vous devez utiliser Duo Mobile.<br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent et je ne veux pas acheter une YubiKey ==<br />
Malheureusement, vous ne pourrez pas utiliser nos services quand l'authentification multifacteur sera obligatoire, ce qui est une exigence des organismes qui accordent du financement à l'Alliance. Une clé YubiKey est le moyen le plus économique de vous authentifier et compte parmi le matériel qui est généralement financé dans le cadre des projets de recherche.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique via SMS? ==<br />
Nous devrions alors assumer les frais d'envoi, ce que nous ne pouvons pas faire. Aussi, cette méthode n'est pas à toute épreuve selon l'opinion de la plupart des spécialistes en sécurité.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique par courriel? ==<br />
Non, ceci n'est pas supporté par Duo.<br />
<br />
== J'ai un téléphone Android et je ne trouve pas l'application Duo Mobile dans Google Play. Est-ce que je peux quand même utiliser Duo? ==<br />
Oui, mais il faudra télécharger l'application du site Web de Duo :<br />
<br />
* Pour Android 8 et 9, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* Pour Android 10, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
Pour validation, les sommes de hachage [https://duo.com/docs/checksums#duo-mobile SHA-256 officielles sont listées ici].<br />
<br />
Pour les instructions d'installation, [https://help.duo.com/s/article/2211?language=en_US voir les détails ici].<br />
<br />
== Je veux désactiver l'authentification multifacteur. Comment dois-je procéder? ==<br />
Cette fonctionnalité sera sous peu obligatoire et elle ne peut pas être désactivée. Nous accordons des exceptions uniquement dans le cas de processus automatisés. Si l'authentification multifacteur vous dérange, nous vous suggérons d'employer une des configurations décrites ci-dessus, selon le client SSH que vous utilisez. Vous trouverez d'autres suggestions dans [[Multifactor_authentication/fr#Webinaires_à_voir|ces webinaires]]. <br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent assez récent. Comment puis-je utiliser l'authentification multifacteur? ==<br />
Vous pouvez [[Multifactor authentication/fr#Pour_utiliser_une_clé_YubiKey|utiliser une clé YubiKey]].<br />
<br />
== J’ai perdu un appareil que j’utilisais comme deuxième facteur. Que puis-je faire? ==<br />
* Si vous avez configuré plusieurs appareils ou si vous avez généré des codes de contournement, utilisez cette autre méthode pour [https://ccdb.alliancecan.ca/multi_factor_authentications accéder à votre compte]. Dans la liste des appareils enregistrés, supprimez celui que vous avez perdu et enregistrez le nouvel appareil.<br />
* Si vous n’avez sauvegardé aucun code de contournement et que vous n’avez plus aucun des appareils que vous avez configurés, copiez la liste suivante et ajoutez-y le plus de détails possible. Faites parvenir cette information à support@tech.alliancecan.ca. <br />
<br />
Quelle est l’adresse de courriel principale enregistrée dans votre compte?<br />
Depuis combien de temps détenez-vous un compte actif avec nous?<br />
Quel est votre champ de recherche?<br />
Quelle est votre adresse IP? (pour connaître votre adresse IP, [https://whatismyipaddress.com/ cliquez sur ce lien])<br />
Quel est le nom de la chercheuse principale ou du chercheur principal qui vous parraine?<br />
Qui sont les membres de votre groupe?<br />
Avec qui pouvons-nous communiquer au sujet de votre demande?<br />
Quelles sont les grappes que vous utilisez le plus?<br />
Quels sont les modules que vous chargez le plus souvent?<br />
À quand remonte la dernière tâche que vous avez soumise?<br />
Mentionnez les identifiants de certaines de vos tâches les plus récentes.<br />
Décrivez les sujets et donnez les identifiants de vos plus récentes demandes de soutien technique.<br />
<br />
== Quels sont les clients SSH qu'on peut utiliser quand l'authentification multifacteur est configurée? ==<br />
* La plupart des clients SSH en ligne de commande, tels que ceux disponibles sur Linux ou Mac OS<br />
* MobaXTerm (voir les directives ci-dessus)<br />
* PuTTY (voir les directives ci-dessus)<br />
* Termius sur iOS<br />
* FileZilla (voir les directives ci-dessus)<br />
* JuiceSSH sur Android<br />
* WinSCP (voir les directives ci-dessus)<br />
* PyCharm (voir les directives ci-dessus)<br />
* VSCode<br />
* CyberDuck (voir les directives ci-dessus)<br />
<br />
== J'ai besoin de connexions SSH qui se font automatiquement aux grappes à partir de mon compte; est-ce que je peux utiliser l'authentification multifacteur? ==<br />
Nous préparons actuellement des nœuds de connexion qui seront réservés aux processus automatisés. Pour plus d'information, voir [[Automation_in_the_context_of_multifactor_authentication/fr|Flux de travail automatisés et authentification multifacteur]].<br />
<br />
== Message <i>Access denied. Duo Security does not provide services in your current location</i> ==<br />
Ceci est dû au fait que Duo est un produit des États-Unis (voir [https://help.duo.com/s/article/7544?language=en_US Duo help]). Pour contourner ceci, vous devez utiliser une connexion VPN et faire comme si vous étiez d'un pays à partir duquel l'accès est permis.<br />
<br />
= Fonctions avancées =<br />
== Configurer votre YubiKey pour Yubico OTP via la ligne de commande (<code>ykman</code>)==<br />
# Installez le logiciel de ligne de commande YubiKey Manager (<code>ykman</code>) en suivant les directives pour votre système d'exploitation dans le [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman guide ykman].<br />
# Entrez votre YubiKey et prenez connaissance de l'information sur la clé avec la commande <code>ykman info</code>.<br />
# Prenez connaissance de l'information sur OTP avec la commande <code>ykman otp info</code>.<br />
# Choisissez entre Slot 1 et Slot 2 et lancez la commande <code>ykman otp yubiotp</code> pour programmer l'option.<br />
# <b>Dans un endroit sécuritaire, conservez une copie de l’identifiant public, l’identifiant privé et la clé secrète; ils seront nécessaires à la prochaine étape.</b><br />
# Connectez-vous à la CCDB pour enregistrer votre clé dans la page <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
<br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Multifactor_authentication/64/fr&diff=150161Translations:Multifactor authentication/64/fr2024-02-15T15:17:05Z<p>Mboisson: Created page with "Configurez votre compte au plus tôt afin de pouvoir accéder à tous nos services. }}"</p>
<hr />
<div>Configurez votre compte au plus tôt afin de pouvoir accéder à tous nos services.<br />
}}</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication/fr&diff=150160Multifactor authentication/fr2024-02-15T15:17:02Z<p>Mboisson: Created page with "Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16 h (HE) pour vous connecter à :"</p>
<hr />
<div><languages /><br />
<br />
<br />
{{Warning|title=L'authentification multifacteur devient obligatoire<br />
|content=Nous vous encourageons fortement à configurer cette fonctionnalité dès que possible, car un deuxième facteur sera requis pour accéder à toutes nos grappes de calcul à compter d’avril 2024. <br />
<br />
Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16 h (HE) pour vous connecter à :<br />
<br />
* Niagara, les 6 et 13 février<br />
* Niagara et Cedar, les 20 et 27 février<br />
* Niagara, Cedar et Graham, les 5 et 12 mars<br />
* toutes les grappes, les 19 et 26 mars<br />
<br />
<div lang="en" dir="ltr" class="mw-content-ltr"><br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
</div><br />
<br />
L’authentification multifacteur permet de protéger votre compte avec plus qu’un simple mot de passe. Une fois que votre compte est configuré pour utiliser cette fonctionnalité, vous devrez entrer votre mot de passe comme d’habitude, mais en plus effectuer une deuxième action (le <i>deuxième facteur</i>), pour avoir accès à la plupart de nos services.<br />
<br />
Sélectionnez cette deuxième étape d’authentification parmi ces facteurs&nbsp;:<br />
*accepter une notification sur votre appareil intelligent dans l’application Duo Mobile;<br />
*entrer un code généré sur demande;<br />
*presser un bouton sur une clé matérielle (YubiKey).<br><br />
<br />
L’authentification multifacteur sera déployée graduellement. Cette fonctionnalité ne sera donc pas disponible immédiatement pour tous nos services.<br />
<br />
= Webinaires à voir =<br />
Ces deux webinaires ont été enregistrés en octobre 2023 : <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (en français)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (en anglais)<br />
<br />
= Enregistrement des facteurs =<br />
== Enregistrer plusieurs facteurs ==<br />
Lorsque vous activez l'authentification multifacteur pour votre compte, nous vous <b>recommandons fortement</b> d’enregistrer au moins deux options pour votre deuxième facteur. Vous pouvez par exemple vous servir de votre téléphone et de codes à usage unique; de votre téléphone et d’une clé YubiKey; ou encore de deux clés YubiKey. De cette façon, si une de ces options ne peut pas être employée, vous aurez un autre facteur pour accéder à votre compte.<br />
<br />
== Utiliser un téléphone ou une tablette ==<br />
<br />
#Installez l'application Duo Mobile à partir du [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] ou de [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Assurez-vous d'avoir la bonne application (voir l'icône ci-dessous). Les applications TOTP comme Aegis, Google Authenticator et Microsoft Authenticator <b>ne sont pas compatibles</b> avec Duo et ne peuvent pas balayer le code QR.<br />
#Connectez-vous à votre compte et cliquez sur <i>Mon compte → [https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
#Sous <i>Enregistrer un appareil</i>, cliquez sur <i>Duo Mobile</i>.<br />
#Entrez un nom pour identifier votre appareil. Cliquez sur <i>Continuer</i> pour faire afficher un code QR. <br />
#Dans l'application Duo Mobile, cliquez sur le signe <b>+</b> ou sur <i>Ajouter un compte</i>.<br />
#Touchez <i>Utiliser un code QR</i>.<br />
#Balayez le code QR qui est affiché dans CCDB. <b>Important : Pour balayer le code QR, votre appareil doit avoir accès à l'internet par wi-fi ou par réseau cellulaire.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Étape 1<br />
File:Duo-mobile-option.png|Étape 3<br />
File:Naming-duo-mobile-device.png|Étape 4<br />
File:Duo-mobile-add-account.png|Étape 5<br />
File:Duo-mobile-scan-qr-code.png|Étape 6<br />
File:Scanning-CCDB-QR-code.jpg|Étape 7<br />
</gallery><br />
<br />
== Utiliser une clé YubiKey ==<br />
Les YubiKey sont des clés matérielles produites par [https://www.yubico.com/ Yubico]. Si vous n'avez pas de téléphone intelligent ou de tablette, si vous ne voulez pas employer ces appareils pour l'authentification multifacteur, ou s'il vous est souvent impossible de les utiliser, une clé YubiKey 5 serait votre meilleur choix.<br />
<br />
<b>Notez que les modèles YubiKey qui ne supportent pas la fonction YubiKey OTP ne sont pas compatibles puisque cette fonction est nécessaire. Nous recommandons YubiKey, série 5, mais certains modèles moins récents pourraient fonctionner. Pour les détails, consultez [https://www.yubico.com/products/identifying-your-yubikey/]. </b><br />
<br />
De la taille d’une petite clé USB, les clés YubiKey 5 coûtent entre 50 et 100 dollars. Différents modèles sont compatibles avec les ports USB-A, USB-C et Lightning et certaines permettent la communication en champ proche (NFC) avec un téléphone ou une tablette.<br />
<br />
YubiKeys supporte plusieurs protocoles. Nos grappes utilisent Yubico OTP (<i>one-time password</i>). Une fois que votre clé est enregistrée à votre compte comme facteur d'authentification, quand vous tenterez de vous connecter à une de nos grappes, on vous demandera d'entrer un mot de passe à utilisation unique (OTP). Vous appuyez alors sur le bouton de la clé, ce qui génère une chaîne de 32 caractères qui forme un mot de passe à entrer. Vous n'avez pas besoin du clavier; la clé se connecte à votre ordinateur et entre elle-même la chaîne de 32 caractères quand vous touchez le bouton.<br />
<br />
Pour enregistrer votre YubiKey, entrez son identifiant public, son identifiant privé et sa clé secrète dans la page <i>[https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>. Si ces renseignements ne sont pas disponibles, configurez votre clé comme suit.<br />
<br />
=== Configurer votre YubiKey pour Yubico OTP ===<br />
<br />
# Téléchargez et installez YubiKey Manager à partir du [https://www.yubico.com/support/download/yubikey-manager/ site Web de Yubico].<br />
# Insérez la clé YubiKey et lancez YubiKey Manager.<br />
# Dans YubiKey Manager, cliquez sur <i>Applications</i> puis sur <i>OTP</i> (voir les images ci-dessous).<br />
# Vous pouvez ici configurer l'une de deux options. <i>Short Touch (Slot 1)</i> identifie une touche brève (de 1 à 2,5 secondes) et <i>Long Touch (Slot 2)</i> correspond à une touche plus longue (de 3 à 5 secondes). L'option numéro 1 est généralement préenregistrée pour Yubico Cloud. Si vous utilisez déjà cette option pour d'autres services, configurez plutôt l'option 2, ou cliquez sur <i>Swap</i> pour transférer la configuration de l'option 1 vers l'option 2, puis configurer l'option 1. <br />
# Sélectionnez <i>Yubico OTP</i>.<br />
# Sélectionnez <i>Use serial</i> pour générer un identifiant privé et une clé secrète. <b>Faites une copie des deux identifiants et de la clé secrète avant de cliquer sur <i>Finish</i> parce que vous en aurez besoin à la prochaine étape</b>. Gardez cette fenêtre ouverte.<br />
# <b>IMPORTANT: Assurez-vous d'avoir cliqué sur <i>Finish</i> à l'étape précédente.</b><br />
# Connectez-vous à la CCDB et cliquez sur <i>Mon compte → [https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i> pour entrer les données pour votre clé.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Étape 3<br />
File:Yubico Manager OTP configuration.png|Étape 4<br />
File:Select Yubico OTP.png|Étape 5<br />
File:Generate Yubikey IDs.png|Étapes 6 et 7<br />
CCDB Yubikeys.png|Étape 8<br />
</gallery><br />
<br />
= Authentification =<br />
== Pour vous connecter à une grappe via SSH == <br />
Si l'authentification multifacteur est activée pour votre compte et que vous vous connectez via SSH à une grappe qui supporte cette fonctionnalité, vous devez d’abord passer la première authentification avec votre mot de passe ou avec votre [[SSH Keys/fr|clé SSH]]. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):}}<br />
<br />
Vous pouvez maintenant indiquer le téléphone ou la tablette qui recevra une notification de la part de Duo. Si vous avez enregistré plusieurs appareils, une liste sera affichée, dans laquelle vous pouvez sélectionner l'appareil de votre choix. Vous n'avez qu'à accepter la notification pour confirmer votre deuxième authentification.<br />
<br />
Si vous utilisez une YubiKey ou un code préalablement sauvegardé, ou encore si vous préférez entrer le mot de passe unique valide pour une durée limitée que Duo Mobile affiche, ne sélectionnez pas une option, mais entrez le code, par exemple <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Passer outre occasionnellement à la deuxième authentification avec ControlMaster===<br />
Si vous vous connectez avec OpenSSH, vous pouvez configurer votre client SSH pour diminuer la fréquence à laquelle vous devez utiliser la deuxième authentification. Modifiez <code>.ssh/config</code> en ajoutant les lignes suivantes&nbsp;:<br />
<br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
Remplacez <code>HOSTNAME</code> par le hostname du serveur que vous voulez configurer. Ceci vous permettra d'ouvrir une première session SSH avec le premier et le deuxième facteur, mais les connexions SSH suivantes à partir du même appareil utiliseront la connexion de la première session (sans vous demander de vous authentifier), même si votre première session est récente.<br />
<br />
Sachez que le mécanisme multiplexeur de ControlMaster ne fonctionne pas sous Windows natif; dans ce cas vous aurez besoin du [https://learn.microsoft.com/fr-fr/windows/wsl/about sous-système Windows pour Linux].<br />
<br />
== Pour vous connecter à votre compte ==<br />
Si l'authentification multifacteur est activée pour votre compte, vous devez d’abord passer la première authentification avec votre nom d'utilisateur et votre mot de passe. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
<br><br />
(Remarque : <i>Ceci n'est pas la fenêtre finale</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuration de clients SSH courants =<br />
Les clients ligne de commande prennent généralement en charge l'authentification multifacteur sans plus de configuration. Par contre, ce n'est souvent pas le cas pour les clients graphiques. Vous trouverez ci-dessous des directives spécifiques à quelques-uns d’entre eux. <br />
<br />
== FileZilla == <br />
FileZilla demande le mot de passe et le deuxième facteur chaque fois qu'un transfert est initié puisque par défaut, les transferts utilisent des connexions distinctes qui sont automatiquement fermées après un certain temps d'inactivité.<br />
<br />
Pour ne pas avoir à saisir plusieurs fois le mot de passe et le deuxième facteur, vous pouvez limiter le nombre de connexions à chaque site à «&nbsp;1&nbsp;» dans <i>Site Manager => Paramètres de transfert</i>; prenez note que vous perdrez ainsi la possibilité de parcourir le serveur lors des transferts.<br />
<br />
# Lancez FileZilla et sélectionnez <i>Gestionnaire de Sites</i>.<br />
# Dans <i>Gestionnaire de Sites</i>, modifiez un site existant ou créez un nouveau site.<br />
# Sous l'onglet <i>Général</i>, entrez les choix suivants&nbsp;:<br />
#* <i>Protocole : SFTP – SSH File Transfer Protocol</i><br />
#* <i>Hôte :</i> [nom de l'hôte pour la grappe de connexion]<br />
#* <i>Type d'authentification : Interactive</i><br />
#* <i>Identifiant :</i> [votre nom d'utilisateur]<br />
# Sous l'onglet <i>Paramètres de transfert</i>&nbsp;:<br />
#* cochez la case <i>Limiter le nombre de connexions simultanées</i> <br />
#* <i>Nombre maximum de connexions : 1</i><br />
# Cliquez sur <i>OK</i> pour sauvegarder la connexion.<br />
# Testez la connexion.<br />
<br />
<div lang="en" dir="ltr" class="mw-content-ltr"><br />
=== Niagara special case ===<br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
</div><br />
<br />
<div lang="en" dir="ltr" class="mw-content-ltr"><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
</div><br />
<br />
== MobaXTerm == <br />
Installez la version 23.1 ou une version plus récente.<br />
<br />
Pour rejoindre un serveur distant, MobaXTerm établit par défaut deux connexions&nbsp;: une première pour le terminal et une seconde pour naviguer dans les fichiers à distance. Puisque le navigateur utilise par défaut le <i>protocole SFTP</i>, votre deuxième facteur d'authentification vous est demandé une seconde fois. Pour éviter ceci, dans l'éditeur SSH, sous l'onglet <i>SSH-browser type</i>, sélectionnez <i>SCP (enhanced speed)</i> ou <i>SCP (normal speed)</i>.<br />
<br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<br />
== PuTTY ==<br />
Installez la version 0.72 ou une version plus récente. <br />
<br />
== WinSCP == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]]. <br />
<br />
== PyCharm == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]].<br />
<br />
== Cyberduck ==<br />
Par défaut, Cyberduck ouvre une nouvelle connexion pour chaque transfert de fichier et vous demande chaque fois votre deuxième facteur. Pour modifier ceci, utilisez les préférences, sous <i>Transferts</i>, onglet <i>Général</i> et dans le menu déroulant de <i>Transférer des fichiers</i>, sélectionnez <i>Utiliser la connexion du navigateur</i>.<br />
<br />
Assurez-vous de ne pas cocher la case pour <i>Téléchargements segmentés avec plusieurs connexions par fichier</i>.<br />
<br />
[[File:CyberduckFRN.png|400px|Configuration pour l'authentification multifacteur]]<br />
<br />
= Foire aux questions =<br />
== Est-ce que je peux utiliser Authy ou l'authentification par Google ou Microsoft? ==<br />
Non, vous devez utiliser Duo Mobile.<br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent et je ne veux pas acheter une YubiKey ==<br />
Malheureusement, vous ne pourrez pas utiliser nos services quand l'authentification multifacteur sera obligatoire, ce qui est une exigence des organismes qui accordent du financement à l'Alliance. Une clé YubiKey est le moyen le plus économique de vous authentifier et compte parmi le matériel qui est généralement financé dans le cadre des projets de recherche.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique via SMS? ==<br />
Nous devrions alors assumer les frais d'envoi, ce que nous ne pouvons pas faire. Aussi, cette méthode n'est pas à toute épreuve selon l'opinion de la plupart des spécialistes en sécurité.<br />
<br />
== Pouvez-vous m'envoyer des codes de passe à usage unique par courriel? ==<br />
Non, ceci n'est pas supporté par Duo.<br />
<br />
== J'ai un téléphone Android et je ne trouve pas l'application Duo Mobile dans Google Play. Est-ce que je peux quand même utiliser Duo? ==<br />
Oui, mais il faudra télécharger l'application du site Web de Duo :<br />
<br />
* Pour Android 8 et 9, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* Pour Android 10, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
Pour validation, les sommes de hachage [https://duo.com/docs/checksums#duo-mobile SHA-256 officielles sont listées ici].<br />
<br />
Pour les instructions d'installation, [https://help.duo.com/s/article/2211?language=en_US voir les détails ici].<br />
<br />
== Je veux désactiver l'authentification multifacteur. Comment dois-je procéder? ==<br />
Cette fonctionnalité sera sous peu obligatoire et elle ne peut pas être désactivée. Nous accordons des exceptions uniquement dans le cas de processus automatisés. Si l'authentification multifacteur vous dérange, nous vous suggérons d'employer une des configurations décrites ci-dessus, selon le client SSH que vous utilisez. Vous trouverez d'autres suggestions dans [[Multifactor_authentication/fr#Webinaires_à_voir|ces webinaires]]. <br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent assez récent. Comment puis-je utiliser l'authentification multifacteur? ==<br />
Vous pouvez [[Multifactor authentication/fr#Pour_utiliser_une_clé_YubiKey|utiliser une clé YubiKey]].<br />
<br />
== J’ai perdu un appareil que j’utilisais comme deuxième facteur. Que puis-je faire? ==<br />
* Si vous avez configuré plusieurs appareils ou si vous avez généré des codes de contournement, utilisez cette autre méthode pour [https://ccdb.alliancecan.ca/multi_factor_authentications accéder à votre compte]. Dans la liste des appareils enregistrés, supprimez celui que vous avez perdu et enregistrez le nouvel appareil.<br />
* Si vous n’avez sauvegardé aucun code de contournement et que vous n’avez plus aucun des appareils que vous avez configurés, copiez la liste suivante et ajoutez-y le plus de détails possible. Faites parvenir cette information à support@tech.alliancecan.ca. <br />
<br />
Quelle est l’adresse de courriel principale enregistrée dans votre compte?<br />
Depuis combien de temps détenez-vous un compte actif avec nous?<br />
Quel est votre champ de recherche?<br />
Quelle est votre adresse IP? (pour connaître votre adresse IP, [https://whatismyipaddress.com/ cliquez sur ce lien])<br />
Quel est le nom de la chercheuse principale ou du chercheur principal qui vous parraine?<br />
Qui sont les membres de votre groupe?<br />
Avec qui pouvons-nous communiquer au sujet de votre demande?<br />
Quelles sont les grappes que vous utilisez le plus?<br />
Quels sont les modules que vous chargez le plus souvent?<br />
À quand remonte la dernière tâche que vous avez soumise?<br />
Mentionnez les identifiants de certaines de vos tâches les plus récentes.<br />
Décrivez les sujets et donnez les identifiants de vos plus récentes demandes de soutien technique.<br />
<br />
== Quels sont les clients SSH qu'on peut utiliser quand l'authentification multifacteur est configurée? ==<br />
* La plupart des clients SSH en ligne de commande, tels que ceux disponibles sur Linux ou Mac OS<br />
* MobaXTerm (voir les directives ci-dessus)<br />
* PuTTY (voir les directives ci-dessus)<br />
* Termius sur iOS<br />
* FileZilla (voir les directives ci-dessus)<br />
* JuiceSSH sur Android<br />
* WinSCP (voir les directives ci-dessus)<br />
* PyCharm (voir les directives ci-dessus)<br />
* VSCode<br />
* CyberDuck (voir les directives ci-dessus)<br />
<br />
== J'ai besoin de connexions SSH qui se font automatiquement aux grappes à partir de mon compte; est-ce que je peux utiliser l'authentification multifacteur? ==<br />
Nous préparons actuellement des nœuds de connexion qui seront réservés aux processus automatisés. Pour plus d'information, voir [[Automation_in_the_context_of_multifactor_authentication/fr|Flux de travail automatisés et authentification multifacteur]].<br />
<br />
== Message <i>Access denied. Duo Security does not provide services in your current location</i> ==<br />
Ceci est dû au fait que Duo est un produit des États-Unis (voir [https://help.duo.com/s/article/7544?language=en_US Duo help]). Pour contourner ceci, vous devez utiliser une connexion VPN et faire comme si vous étiez d'un pays à partir duquel l'accès est permis.<br />
<br />
= Fonctions avancées =<br />
== Configurer votre YubiKey pour Yubico OTP via la ligne de commande (<code>ykman</code>)==<br />
# Installez le logiciel de ligne de commande YubiKey Manager (<code>ykman</code>) en suivant les directives pour votre système d'exploitation dans le [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman guide ykman].<br />
# Entrez votre YubiKey et prenez connaissance de l'information sur la clé avec la commande <code>ykman info</code>.<br />
# Prenez connaissance de l'information sur OTP avec la commande <code>ykman otp info</code>.<br />
# Choisissez entre Slot 1 et Slot 2 et lancez la commande <code>ykman otp yubiotp</code> pour programmer l'option.<br />
# <b>Dans un endroit sécuritaire, conservez une copie de l’identifiant public, l’identifiant privé et la clé secrète; ils seront nécessaires à la prochaine étape.</b><br />
# Connectez-vous à la CCDB pour enregistrer votre clé dans la page <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
<br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Multifactor_authentication/63/fr&diff=150159Translations:Multifactor authentication/63/fr2024-02-15T15:16:57Z<p>Mboisson: Created page with "* Niagara, les 6 et 13 février * Niagara et Cedar, les 20 et 27 février * Niagara, Cedar et Graham, les 5 et 12 mars * toutes les grappes, les 19 et 26 mars"</p>
<hr />
<div>* Niagara, les 6 et 13 février<br />
* Niagara et Cedar, les 20 et 27 février<br />
* Niagara, Cedar et Graham, les 5 et 12 mars<br />
* toutes les grappes, les 19 et 26 mars</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Multifactor_authentication/62/fr&diff=150158Translations:Multifactor authentication/62/fr2024-02-15T15:16:43Z<p>Mboisson: Created page with "Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16 h (HE) pour vous connecter à :"</p>
<hr />
<div>Pour vous rappeler d’activer l’authentification multifacteur, la fonctionnalité sera requise les mardis entre midi et 16 h (HE) pour vous connecter à :</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Multifactor_authentication/61/fr&diff=150157Translations:Multifactor authentication/61/fr2024-02-15T15:16:32Z<p>Mboisson: Created page with "{{Warning|title=L'authentification multifacteur devient obligatoire |content=Nous vous encourageons fortement à configurer cette fonctionnalité dès que possible, car un deuxième facteur sera requis pour accéder à toutes nos grappes de calcul à compter d’avril 2024."</p>
<hr />
<div>{{Warning|title=L'authentification multifacteur devient obligatoire<br />
|content=Nous vous encourageons fortement à configurer cette fonctionnalité dès que possible, car un deuxième facteur sera requis pour accéder à toutes nos grappes de calcul à compter d’avril 2024.</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=150150Multifactor authentication2024-02-15T15:15:32Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:61--><br />
{{Warning|title=Multifactor authentication is becoming mandatory<br />
|content=We strongly encourage you to enable MFA for your account now, as this will become a requirement to access our clusters as of April of 2024. <br />
<br />
<!--T:62--><br />
In order to get users enrolled progressively, we will institute periodic blackouts starting on February 6, 2024, which will progressively increase in scope until April of 2024. During these periods, users who have not enrolled into MFA will be unable to connect to certain clusters. The blackout periods are scheduled to occur on Tuesdays, between 12:00 PM and 4:00 PM ET. The clusters which will be subjected to blackouts are as follows:<br />
<br />
<!--T:63--><br />
* Niagara: February 6 and 13<br />
* Niagara and Cedar: February 20 and 27<br />
* Niagara, Cedar and Graham: March 5 and 12<br />
* All clusters: March 19 and 26<br />
<br />
<!--T:64--><br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=150149Multifactor authentication2024-02-15T15:15:25Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
{{Warning|title=Multifactor authentication is becoming mandatory<br />
|content=We strongly encourage you to enable MFA for your account now, as this will become a requirement to access our clusters as of April of 2024. <br />
<br />
In order to get users enrolled progressively, we will institute periodic blackouts starting on February 6, 2024, which will progressively increase in scope until April of 2024. During these periods, users who have not enrolled into MFA will be unable to connect to certain clusters. The blackout periods are scheduled to occur on Tuesdays, between 12:00 PM and 4:00 PM ET. The clusters which will be subjected to blackouts are as follows:<br />
<br />
* Niagara: February 6 and 13<br />
* Niagara and Cedar: February 20 and 27<br />
* Niagara, Cedar and Graham: March 5 and 12<br />
* All clusters: March 19 and 26<br />
<br />
Enroll now to avoid being blocked from accessing our services.<br />
}}<br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=150144Multifactor authentication2024-02-15T14:55:31Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
=== Niagara special case === <!--T:59--><br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=150143Multifactor authentication2024-02-15T13:24:26Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client with ControlMaster, to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration. This setting allows a first SSH session to ask for the first and second factors, but subsequent SSH connections on the same device will reuse the connection of the first session (without asking for authentication), even up to 10 minutes after that first session was disconnected.<br />
<br />
<!--T:41--><br />
Note that the above ControlMaster mechanism (a.k.a. Multiplexing) doesn't work with native Windows, in which case [https://learn.microsoft.com/en-gb/windows/wsl/about Windows Subsystem for Linux] will be required.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
<!--T:59--><br />
=== Niagara special case ===<br />
Note that on Niagara, due the simultaneous requirements of providing an SSH key and the 2FA interactive prompting upon login, users may face some challenge. Only one of each kind can be enabled at the time. We recommend using a different SCP client that has better support for interactive prompt, but one possible way to bypass this is to:<br />
<br />
<!--T:60--><br />
# Attempt to connect with an SSH key. This will fail because of the interactive prompt for the second factor. FileZilla will then remember your key. <br />
# Change the login method to interactive and attempt to connect again. You will then receive the 2FA prompt.<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey == <!--T:55--><br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifactor authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work-related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? == <!--T:56--><br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? == <!--T:57--><br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? == <!--T:58--><br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150056Standard software environments2024-02-12T15:50:22Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the new standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of February 2023, there are four such standard environments, versioned 2023, 2020, 2018.3 and 2016.4, with each new version incorporating major improvements. Only versions 2020 and 2023 are actively supported. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <!--T:22--><br />
This is the most recent iteration of our software environment. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
<!--T:23--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <!--T:24--><br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <!--T:25--><br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
<!--T:26--><br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Migration_to_the_new_standard_environment&diff=150047Migration to the new standard environment2024-02-12T15:47:52Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
= What are the differences between <tt>StdEnv/2023</tt> and the earlier environments? = <!--T:1--><br />
The differences are discussed in [[Standard software environments]].<br />
<br />
= Can I change my default standard environment? = <!--T:2--><br />
Prior to April first 2024, ''' <code>StdEnv/2023</code> will be the default environment for all clusters.''' However, you can specify your own default environment at any time by modifying the <code>$HOME/.modulerc</code> file. For example, running the following command will set your default environment to <code>StdEnv/2020</code>:<br />
{{Command|echo "module-version StdEnv/2020 default" >> $HOME/.modulerc}}<br />
You must log out and log in again for this change to take effect.<br />
<br />
= Do I need to reinstall/recompile my code when the <code>StdEnv</code> changes? = <!--T:3--><br />
Yes. If you compile your own code, or have installed R or Python packages, you should recompile your code or reinstall the packages you need with the newest version of the standard environment.<br />
<br />
= How can I use an earlier environment? = <!--T:4--><br />
If you have an existing workflow and want to continue to use the same software versions you are using now, simply add <br />
module load StdEnv/2020<br />
to your job scripts before loading any other modules. <br />
<br />
= Will the earlier environments be removed? = <!--T:5--><br />
The earlier environments and any software dependent on them will remain available, but versions 2016.4 and 2018.3 are no longer supported, and we recommend not using them. However, our staff will no longer install anything in the old environments.<br />
<br />
= Can I mix modules from different environments? = <!--T:6--><br />
No, you should use a single environment for a given job - different jobs can use different standard environments by explicitly <br />
loading one or the other at the job's beginning but within a single job you should only use a single environment. The results of trying to mix different environments are unpredictable but in general will lead to errors of one kind or another. <br />
<br />
= Which environment should I use? = <!--T:7--><br />
If you are starting a new project, or if you want to use a newer version of an application, you should use <tt>StdEnv/2023</tt> by adding <br />
module load StdEnv/2023<br />
to your job scripts. This command does not need to be deleted to use <tt>StdEnv/2023</tt> after April 1.<br />
<br />
= Can I keep using an older environment by loading modules in my <code>.bashrc</code>? = <!--T:8--><br />
Loading modules in your <code>.bashrc</code> is '''not recommended'''. Instead, explicitly load modules in your job scripts.<br />
<br />
= I don't use the HPC clusters but cloud resources only. Do I need to worry about this? = <!--T:9--><br />
No, this change will only affect the [[Available software]] accessed by [[Using modules| using environment modules]].<br />
<br />
= I can no longer load a module that I previously used = <!--T:10--><br />
More recent versions of most applications are installed in the new environment. To see the available versions, run the <code>module avail</code> command. For example, <br />
{{Command|module avail gcc}}<br />
shows several versions of the GCC compilers, which may be different from those in earlier environments.<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Migration_to_the_new_standard_environment&diff=150020Migration to the new standard environment2024-02-12T15:45:29Z<p>Mboisson: Mboisson a déplacé la page Migration to the 2020 standard environment vers Migration to the new standard environment sans laisser de redirection: Part of translatable page "Migration to the 2020 standard environment"</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
= What are the differences between <tt>StdEnv/2020</tt> and the earlier environments? = <!--T:1--><br />
The differences are discussed in [[Standard software environments]].<br />
<br />
= Can I change my default standard environment? = <!--T:2--><br />
Prior to April first 2021, our clusters used different <code>StdEnv</code> versions as their default: [[Cedar]] and [[Graham]] used <code>StdEnv/2016.4</code>, while [[Béluga/en|Béluga]] used <code>StdEnv/2018.3</code>. [[Niagara]] defaulted to <code>StdEnv/2018.3</code> when you ran <code>module load CCEnv StdEnv</code>. ''' <code>StdEnv/2020</code> is now the default environment for all clusters.''' However, you can specify your own default environment at any time by modifying the <code>$HOME/.modulerc</code> file. For example, running the following command will set your default environment to <code>StdEnv/2018.3</code>:<br />
{{Command|echo "module-version StdEnv/2018.3 default" >> $HOME/.modulerc}}<br />
You must log out and log in again for this change to take effect.<br />
<br />
= Do I need to reinstall/recompile my code when the <code>StdEnv</code> changes? = <!--T:3--><br />
Yes. If you compile your own code, or have installed R or Python packages, you should recompile your code or reinstall the packages you need with the newest version of the standard environment.<br />
<br />
= How can I use an earlier environment? = <!--T:4--><br />
If you have an existing workflow and want to continue to use the same software versions you are using now, simply add <br />
module load StdEnv/2018.3<br />
or <br />
module load StdEnv/2016.4<br />
to your job scripts before loading any other modules. <br />
<br />
= Will the earlier environments be removed? = <!--T:5--><br />
The earlier environments and any software dependent on them will remain available. However, our staff will no longer install anything in the old environments.<br />
<br />
= Can I mix modules from different environments? = <!--T:6--><br />
No, you should use a single environment for a given job - different jobs can use different standard environments by explicitly <br />
loading one or the other at the job's beginning but within a single job you should only use a single environment. The results of trying to mix different environments are unpredictable but in general will lead to errors of one kind or another. <br />
<br />
= Which environment should I use? = <!--T:7--><br />
If you are starting a new project, or if you want to use a newer version of an application, you should use <tt>StdEnv/2020</tt> by adding <br />
module load StdEnv/2020<br />
to your job scripts. This command does not need to be deleted to use <tt>StdEnv/2020</tt> after April 1.<br />
<br />
= Can I keep using an older environment by loading modules in my <code>.bashrc</code>? = <!--T:8--><br />
Loading modules in your <code>.bashrc</code> is '''not recommended'''. Instead, explicitly load modules in your job scripts.<br />
<br />
= I don't use the HPC clusters but cloud resources only. Do I need to worry about this? = <!--T:9--><br />
No, this change will only affect the [[Available software]] accessed by [[Using modules| using environment modules]].<br />
<br />
= I can no longer load a module that I previously used = <!--T:10--><br />
More recent versions of most applications are installed in the new environment. To see the available versions, run the <code>module avail</code> command. For example, <br />
{{Command|module avail gcc}}<br />
shows several versions of the GCC compilers, which may be different from those in earlier environments.<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150013Standard software environments2024-02-12T15:40:36Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the 2020 standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of February 2023, there are four such standard environments, versioned 2023, 2020, 2018.3 and 2016.4, with each new version incorporating major improvements. Only versions 2020 and 2023 are actively supported. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <!--T:22--><br />
This is the most recent iteration of our software environment. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
<!--T:23--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <!--T:24--><br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <!--T:25--><br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
<!--T:26--><br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150012Standard software environments2024-02-12T15:40:30Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the 2020 standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of February 2023, there are four such standard environments, versioned 2023, 2020, 2018.3 and 2016.4, with each new version incorporating major improvements. Only versions 2020 and 2023 are actively supported. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <!--T:22--><br />
This is the most recent iteration of our software environment. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
<!--T:23--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <!--T:24--><br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <!--T:25--><br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
<!--T:26--><br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150011Standard software environments2024-02-12T15:40:08Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the 2020 standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of February 2023, there are four such standard environments, versioned 2023, 2020, 2018.3 and 2016.4, with each new version incorporating major improvements. Only versions 2020 and 2023 are actively supported. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <!--T:22--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
<!--T:23--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <!--T:24--><br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <!--T:25--><br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
<!--T:26--><br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150001Standard software environments2024-02-12T15:38:28Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the 2020 standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of October 2020, there are three such standard environments, versioned 2016.4, 2018.3, and 2020, with each new version incorporating major improvements. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <!--T:22--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
<!--T:23--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <!--T:24--><br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <!--T:25--><br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
<!--T:26--><br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Standard_software_environments&diff=150000Standard software environments2024-02-12T15:37:52Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<!--T:21--><br />
For questions about migration to different standard environments, please see [[Migration to the 2020 standard environment]].<br />
<br />
= What are standard software environments? = <!--T:1--><br />
Our software environments are provided through a set of [[Utiliser_des_modules/en|modules]] which allow you to switch between different versions of software packages. These modules are organized in a tree structure with the trunk made up of typical utilities provided by any Linux environment. Branches are compiler versions and sub-branches are versions of MPI or CUDA. <br />
<br />
<!--T:15--><br />
Standard environments identify combinations of specific compiler and MPI modules that are used most commonly by our team to build other software. These combinations are grouped in modules named <code>StdEnv</code>.<br />
<br />
<!--T:16--><br />
As of October 2020, there are three such standard environments, versioned 2016.4, 2018.3, and 2020, with each new version incorporating major improvements. <br />
<br />
<!--T:17--><br />
This page describes these changes and explains why you should upgrade to a more recent version. <br />
<br />
In general, new versions of software packages will get installed with the newest software environment.<br />
<br />
== <code>StdEnv/2023</code> == <br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 12.3.0, Intel 2023.1, and Open MPI 4.1.5 as defaults. <br />
<br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2023}}<br />
<br />
=== Performance improvements === <br />
The minimum CPU instruction set supported by this environment is AVX2, or more generally, <tt>x86-64-v3</tt>. Even the compatibility layer which provides basic Linux commands is compiled with optimisations for this instruction set. <br />
<br />
=== Changes of default modules === <br />
GCC becomes the default compiler, instead of Intel. We compile with Intel only software which have been known to offer better performance using Intel. CUDA becomes an add-on to OpenMPI, rather than the other way around, i.e. CUDA-aware MPI is loaded at run time if CUDA is loaded. This allows to share a lot of MPI libraries across CUDA and non-CUDA branches.<br />
<br />
The following core modules have seen their default version upgraded:<br />
* GCC 9.3 => GCC 12.3<br />
* OpenMPI 4.0.3 => OpenMPI 4.1.5<br />
* Intel compilers 2020 => 2023<br />
* Intel MKL 2020 => Flexiblas 3.3.1 (with MKL 2023 or BLIS 0.9.0)<br />
* CUDA 11 => CUDA 12<br />
<br />
== <code>StdEnv/2020</code> == <!--T:6--><br />
This is the most recent iteration of our software environment with the most changes so far. It uses GCC 9.3.0, Intel 2020.1, and Open MPI 4.0.3 as defaults. <br />
<br />
<!--T:7--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2020}}<br />
<br />
=== Performance improvements === <!--T:8--><br />
Binaries compiled with the Intel compiler now automatically support both AVX2 and AVX512 instruction sets. In technical terms, we call them ''multi-architecture binaries'', also known as [https://en.wikipedia.org/wiki/Fat_binary fat binaries]. This means that when running on a cluster such as Cedar and Graham which has multiple generations of processors, you don't have to manually load one of the <tt>arch</tt> modules if you use software packages generated by the Intel compiler. <br />
<br />
<!--T:9--><br />
Many software packages which were previously installed either with GCC or with Intel are now installed at a lower level of the software hierarchy, which makes the same module visible, irrespective of which compiler is loaded. For example, this is the case for many bioinformatics software packages as well as the [[R]] modules, which previously required loading the <code>gcc</code> module. This could be done because we introduced optimizations specific to CPU architectures at a level of the software hierarchy lower than the compiler level. <br />
<br />
<!--T:10--><br />
We also installed a more recent version of the [https://en.wikipedia.org/wiki/GNU_C_Library GNU C Library], which introduces optimizations in some mathematical functions. This has increased the requirement on the version of the Linux Kernel (see below). <br />
<br />
=== Change in the compatibility layer === <!--T:11--><br />
Another enhancement for the 2020 release was a change in tools for our compatibility layer. The compatibility layer is between the operating system and all other software packages. This layer is designed to ensure that compilers and scientific applications will work whether they run on CentOS, Ubuntu, or Fedora. For the 2016.4 and 2018.3 versions, we used the [https://en.wikipedia.org/wiki/Nix_package_manager Nix package manager], while for the 2020 version, we used [https://wiki.gentoo.org/wiki/Project:Prefix Gentoo Prefix]. <br />
<br />
=== Change in kernel requirement === <!--T:12--><br />
Versions 2016.4 and 2018.3 required a Linux kernel version 2.6.32 or more recent. This supported CentOS versions starting at CentOS 6. With the 2020 version, we require a Linux kernel 3.10 or better. This means it no longer supports CentOS 6, but requires CentOS 7 instead. Other distributions usually have kernels which are much more recent, so you probably don't need to change your distribution if you are using this standard environment on something other than CentOS.<br />
<br />
=== Module extensions === <!--T:18--><br />
With the 2020 environment, we started installing more Python extensions inside of their corresponding core modules. For example, we installed <tt>PyQt5</tt> inside of the <tt>qt/5.12.8</tt> module so that it supports multiple versions of Python. The module system has also been adjusted so you can find such extensions. For example, if you run <br />
{{Command|module spider pyqt5}}<br />
it will tell you that you can get this by loading the <tt>qt/5.12.8</tt> module.<br />
<br />
== <code>StdEnv/2018.3</code> == <!--T:4--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the second version of our software environment. It was released in 2018 with the deployment of [[Béluga/en|Béluga]], and shortly after the deployment of [[Niagara]]. Defaults were upgraded to GCC 7.3.0, Intel 2018.3, and Open MPI 3.1.2. This is the first version to support AVX512 instructions.<br />
<br />
<!--T:5--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2018.3}}<br />
<br />
== <code>StdEnv/2016.4</code> == <!--T:2--><br />
{{Template:Warning<br />
|title=Deprecated<br />
|content=This environment is no longer supported.}}<br />
This is the initial version of our software environment released in 2016 with the deployment of [[Cedar]] and [[Graham]]. It features GCC 5.4.0 and Intel 2016.4 as default compilers, and Open MPI 2.1.1 as its default implementation of MPI. Most of the software compiled with this environment does not support AVX512 instructions provided by the Skylake processors on [[Béluga/en|Béluga]], [[Niagara]], as well as on the most recent additions to Cedar and Graham.<br />
<br />
<!--T:3--><br />
To activate this environment, use the command <br />
{{Command|module load StdEnv/2016.4}}<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=149880Automation in the context of multifactor authentication2024-02-06T14:18:29Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Automation nodes for each cluster = <!--T:13--><br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: not available yet<br />
* Béluga: not available yet<br />
* Narval: not available yet<br />
* Niagara: robot.niagara.alliancecan.ca (currently, Feb 6, 2024)<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149678Multifactor authentication2024-02-01T19:50:47Z<p>Mboisson: /* Why can't you send me one time passcodes through email ? */</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey ==<br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifcator authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? ==<br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? ==<br />
No, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149677Multifactor authentication2024-02-01T19:50:04Z<p>Mboisson: /* Why can't you send me one time passcodes through email ? */</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey ==<br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifcator authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? ==<br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? ==<br />
Emails are no more secure than SMS, and since password resets go through email, it would essentially reduce the second factor to a single one. In addition, Duo does not support sending one time code through email.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149676Multifactor authentication2024-02-01T19:46:14Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey ==<br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifcator authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== Why can't you send me one time passcodes through SMS ? ==<br />
Sending SMS costs money which we do not have. Multifactor using SMS is also widely regarded as insecure by most security experts.<br />
<br />
== Why can't you send me one time passcodes through email ? ==<br />
Emails are no more secure than SMS, and since password resets go through email, it would essentially reduce the second factor to a single one.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149673Multifactor authentication2024-02-01T19:42:42Z<p>Mboisson: /* I do not have a smartphone or tablet, and I do not want to buy a Yubikey */</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey ==<br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifcator authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding like any other work related hardware. Mandating multifactor authentication is a requirement from our funding bodies.<br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149672Multifactor authentication2024-02-01T19:41:55Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== Can I use Authy/Google authenticator/Microsoft Authenticator ? ==<br />
No. Only Duo Mobile will work.<br />
<br />
== I do not have a smartphone or tablet, and I do not want to buy a Yubikey ==<br />
Unfortunately, that means you will not be able to use our services when multifactor authentication becomes mandatory. A Yubikey hardware<br />
token is the cheapest way to enable multifcator authentication on your account, and is expected to be covered by the principal investigator's<br />
research funding. Mandating multifactor authentication is a requirement from our funding bodies. <br />
<br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149668Multifactor authentication2024-02-01T19:37:16Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are not compatible because they don't all support the "Yubico OTP" function, which is required. We recommend using the YubiKey 5 Series, but older devices you may already have could work, see this [https://www.yubico.com/products/identifying-your-yubikey/ Yubico identification page] for reference.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated SSH connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated to automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=149589Automation in the context of multifactor authentication2024-01-31T13:41:28Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Automation nodes for each cluster = <!--T:13--><br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: not available yet<br />
* Béluga: not available yet<br />
* Narval: not available yet<br />
* Niagara: not available yet<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=149588Automation in the context of multifactor authentication2024-01-31T13:34:14Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:1--><br />
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.<br />
<br />
= Increased security restrictions = <!--T:2--><br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys == <!--T:3--><br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <code>restrict</code> === <!--T:4--><br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead. <br />
<br />
=== <code>from="pattern-list"</code> === <!--T:5--><br />
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted. <br />
<br />
=== <code>command="COMMAND"</code> === <!--T:6--><br />
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <code>command=</code> == <!--T:7--><br />
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
<!--T:8--><br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> will allow only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> will allow commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> will allow commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> will allow the <code>git</code> command.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> will allow some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>.<br />
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys == <!--T:9--><br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <code>scp</code>, <code>sftp</code> or <code>rsync</code> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Automation nodes for each cluster =<br />
Here is the hostname of the node to be used for unattended connections on each cluster: <br />
* Cedar: robot.cedar.alliancecan.ca<br />
* Graham: not available yet<br />
* Béluga: not available yet<br />
* Narval: not available yet<br />
* Niagara: not available yet<br />
<br />
= Using the right key = <!--T:10--><br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command you are using. Below are a few examples. <br />
<br />
<!--T:11--><br />
With <code>ssh</code> or <code>scp</code>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
<!--T:12--><br />
With <code>rsync</code>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=149584Multifactor authentication2024-01-31T13:31:05Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey 5 == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are [https://help.duo.com/s/article/2166?language=en_US not compatible]. We recommend using the YubiKey 5 Series.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== I have an older Android phone and I cannot download the Duo Mobile application from the Google Play site. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website:<br />
<br />
<!--T:52--><br />
* For Android 8 and 9, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* For Android 10, the latest compatible version is [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
<!--T:53--><br />
For validation, official [https://duo.com/docs/checksums#duo-mobile SHA-256 checksums are listed here].<br />
<br />
<!--T:54--><br />
For installation instructions, [https://help.duo.com/s/article/2211?language=en_US see this page].<br />
<br />
== I want to disable multifactor authentication. How do I do this? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future; therefore, users cannot disable it. Exceptions can only be granted for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client you are using. Our [[Multifactor_authentication#Recorded_webinars|recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#Use a YubiKey 5|to use a YubiKey 5]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
We are currently deploying a set of login nodes dedicated for automated processes that require unattended SSH connections. More information about this can be found [[Automation_in_the_context_of_multifactor_authentication|here]].<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication/fr&diff=149543Multifactor authentication/fr2024-01-30T20:54:47Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<br />
L’authentification multifacteur permet de protéger votre compte avec plus qu’un simple mot de passe. Une fois que votre compte est configuré pour utiliser cette fonctionnalité, vous devrez entrer votre mot de passe comme d’habitude, mais en plus effectuer une deuxième action (le <i>deuxième facteur</i>), pour avoir accès à la plupart de nos services.<br />
<br />
Sélectionnez cette deuxième étape d’authentification parmi ces facteurs&nbsp;:<br />
*accepter une notification sur votre appareil intelligent dans l’application Duo Mobile;<br />
*entrer un code généré sur demande;<br />
*presser un bouton sur une clé matérielle (YubiKey).<br><br />
<br />
L’authentification multifacteur sera déployée graduellement. Cette fonctionnalité ne sera donc pas disponible immédiatement pour tous nos services.<br />
<br />
= Webinaires à voir =<br />
Ces deux webinaires ont été enregistrés en octobre 2023 : <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (en français)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (en anglais)<br />
<br />
= Enregistrement des facteurs =<br />
== Enregistrer plusieurs facteurs ==<br />
Lorsque vous activez l'authentification multifacteur pour votre compte, nous vous <b>recommandons fortement</b> d’enregistrer au moins deux options pour votre deuxième facteur. Vous pouvez par exemple vous servir de votre téléphone et de codes à usage unique; de votre téléphone et d’une clé YubiKey; ou encore de deux clés YubiKey. De cette façon, si une de ces options ne peut pas être employée, vous aurez un autre facteur pour accéder à votre compte.<br />
<br />
== Utiliser un téléphone ou une tablette ==<br />
<br />
#Installez l'application Duo Mobile à partir du [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] ou de [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Assurez-vous d'avoir la bonne application (voir l'icône ci-dessous). Les applications TOTP comme Aegis, Google Authenticator et Microsoft Authenticator <b>ne sont pas compatibles</b> avec Duo et ne peuvent pas balayer le code QR.<br />
#Connectez-vous à votre compte et cliquez sur <i>Mon compte → [https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
#Sous <i>Enregistrer un appareil</i>, cliquez sur <i>Duo Mobile</i>.<br />
#Entrez un nom pour identifier votre appareil. Cliquez sur <i>Continuer</i> pour faire afficher un code QR. <br />
#Dans l'application Duo Mobile, cliquez sur le signe <b>+</b> ou sur <i>Ajouter un compte</i>.<br />
#Touchez <i>Utiliser un code QR</i>.<br />
#Balayez le code QR qui est affiché dans CCDB. <b>Important : Pour balayer le code QR, votre appareil doit avoir accès à l'internet par wi-fi ou par réseau cellulaire.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Étape 1<br />
File:Duo-mobile-option.png|Étape 3<br />
File:Naming-duo-mobile-device.png|Étape 4<br />
File:Duo-mobile-add-account.png|Étape 5<br />
File:Duo-mobile-scan-qr-code.png|Étape 6<br />
File:Scanning-CCDB-QR-code.jpg|Étape 7<br />
</gallery><br />
<br />
== Utiliser une clé YubiKey 5 ==<br />
Les YubiKey sont des clés matérielles produites par [https://www.yubico.com/ Yubico]. Si vous n'avez pas de téléphone intelligent ou de tablette, si vous ne voulez pas employer ces appareils pour l'authentification multifacteur, ou s'il vous est souvent impossible de les utiliser, une clé YubiKey 5 serait votre meilleur choix.<br />
<br />
<b>Notez que certains modèles [https://help.duo.com/s/article/2166?language=en_US ne sont pas compatibles]; nous recommandons YubiKey, série 5.</b><br />
<br />
De la taille d’une petite clé USB, les clés YubiKey 5 coûtent entre 50 et 100 dollars. Différents modèles sont compatibles avec les ports USB-A, USB-C et Lightning et certaines permettent la communication en champ proche (NFC) avec un téléphone ou une tablette.<br />
<br />
YubiKeys supporte plusieurs protocoles. Nos grappes utilisent Yubico OTP (<i>one-time password</i>). Une fois que votre clé est enregistrée à votre compte comme facteur d'authentification, quand vous tenterez de vous connecter à une de nos grappes, on vous demandera d'entrer un mot de passe à utilisation unique (OTP). Vous appuyez alors sur le bouton de la clé, ce qui génère une chaîne de 32 caractères qui forme un mot de passe à entrer. Vous n'avez pas besoin du clavier; la clé se connecte à votre ordinateur et entre elle-même la chaîne de 32 caractères quand vous touchez le bouton.<br />
<br />
Pour enregistrer votre YubiKey, entrez son identifiant public, son identifiant privé et sa clé secrète dans la page <i>[https://ccdb.computecanada.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>. Si ces renseignements ne sont pas disponibles, configurez votre clé comme suit.<br />
<br />
=== Configurer votre YubiKey pour Yubico OTP ===<br />
<br />
# Téléchargez et installez YubiKey Manager à partir du [https://www.yubico.com/support/download/yubikey-manager/ site Web de Yubico].<br />
# Insérez la clé YubiKey et lancez YubiKey Manager.<br />
# Dans YubiKey Manager, cliquez sur <i>Applications</i> puis sur <i>OTP</i> (voir les images ci-dessous).<br />
# Vous pouvez ici configurer l'une de deux options. <i>Short Touch (Slot 1)</i> identifie une touche brève (de 1 à 2,5 secondes) et <i>Long Touch (Slot 2)</i> correspond à une touche plus longue (de 3 à 5 secondes). L'option numéro 1 est généralement préenregistrée pour Yubico Cloud. Si vous utilisez déjà cette option pour d'autres services, configurez plutôt l'option 2, ou cliquez sur <i>Swap</i> pour transférer la configuration de l'option 1 vers l'option 2, puis configurer l'option 1. <br />
# Sélectionnez <i>Yubico OTP</i>.<br />
# Sélectionnez <i>Use serial</i> pour générer un identifiant privé et une clé secrète. <b>Faites une copie des deux identifiants et de la clé secrète avant de cliquer sur <i>Finish</i> parce que vous en aurez besoin à la prochaine étape</b>. Gardez cette fenêtre ouverte.<br />
# <b>IMPORTANT: Assurez-vous d'avoir cliqué sur <i>Finish</i> à l'étape précédente.</b><br />
# Connectez-vous à la CCDB et cliquez sur <i>Mon compte → [https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i> pour entrer les données pour votre clé.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Étape 3<br />
File:Yubico Manager OTP configuration.png|Étape 4<br />
File:Select Yubico OTP.png|Étape 5<br />
File:Generate Yubikey IDs.png|Étapes 6 et 7<br />
CCDB Yubikeys.png|Étape 8<br />
</gallery><br />
<br />
= Authentification =<br />
== Pour vous connecter à une grappe via SSH == <br />
Si l'authentification multifacteur est activée pour votre compte et que vous vous connectez via SSH à une grappe qui supporte cette fonctionnalité, vous devez d’abord passer la première authentification avec votre mot de passe ou avec votre [[SSH Keys/fr|clé SSH]]. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):}}<br />
<br />
Vous pouvez maintenant indiquer le téléphone ou la tablette qui recevra une notification de la part de Duo. Si vous avez enregistré plusieurs appareils, une liste sera affichée, dans laquelle vous pouvez sélectionner l'appareil de votre choix. Vous n'avez qu'à accepter la notification pour confirmer votre deuxième authentification.<br />
<br />
Si vous utilisez une YubiKey ou un code préalablement sauvegardé, ou encore si vous préférez entrer le mot de passe unique valide pour une durée limitée que Duo Mobile affiche, ne sélectionnez pas une option, mais entrez le code, par exemple <br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
Enter a passcode or select one of the following options:<br />
<br />
1. Duo Push to My phone (iOS)<br />
<br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Passer outre à la deuxième authentification===<br />
Si vous vous connectez avec OpenSSH, vous pouvez configurer votre client SSH pour diminuer la fréquence à laquelle vous devez utiliser la deuxième authentification. Modifiez <code>.ssh/config</code> en ajoutant les lignes suivantes&nbsp;:<br />
<br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
Remplacez <code>HOSTNAME</code> par le hostname du serveur que vous voulez configurer.<br />
<br />
Si vous utilisez Windows, vous pouvez installer OpenSSH en suivant les [https://learn.microsoft.com/fr-ca/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui directives pour installer OpenSSH]. Vous n'avez besoin d'installer que le client.<br />
<br />
== Pour vous connecter à votre compte ==<br />
Si l'authentification multifacteur est activée pour votre compte, vous devez d’abord passer la première authentification avec votre nom d'utilisateur et votre mot de passe. Ce qui suit sera affiché pour la deuxième authentification&nbsp;: <br />
<br><br />
(Remarque : <i>Ceci n'est pas la fenêtre finale</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuration de clients SSH courants =<br />
Les clients ligne de commande prennent généralement en charge l'authentification multifacteur sans plus de configuration. Par contre, ce n'est souvent pas le cas pour les clients graphiques. Vous trouverez ci-dessous des directives spécifiques à quelques-uns d’entre eux. <br />
<br />
== FileZilla == <br />
FileZilla demande le mot de passe et le deuxième facteur chaque fois qu'un transfert est initié puisque par défaut, les transferts utilisent des connexions distinctes qui sont automatiquement fermées après un certain temps d'inactivité.<br />
<br />
Pour ne pas avoir à saisir plusieurs fois le mot de passe et le deuxième facteur, vous pouvez limiter le nombre de connexions à chaque site à «&nbsp;1&nbsp;» dans <i>Site Manager => Paramètres de transfert</i>; prenez note que vous perdrez ainsi la possibilité de parcourir le serveur lors des transferts.<br />
<br />
# Lancez FileZilla et sélectionnez <i>Gestionnaire de Sites</i>.<br />
# Dans <i>Gestionnaire de Sites</i>, modifiez un site existant ou créez un nouveau site.<br />
# Sous l'onglet <i>Général</i>, entrez les choix suivants&nbsp;:<br />
#* <i>Protocole : SFTP – SSH File Transfer Protocol</i><br />
#* <i>Hôte :</i> [nom de l'hôte pour la grappe de connexion]<br />
#* <i>Type d'authentification : Interactive</i><br />
#* <i>Identifiant :</i> [votre nom d'utilisateur]<br />
# Sous l'onglet <i>Paramètres de transfert</i>&nbsp;:<br />
#* cochez la case <i>Limiter le nombre de connexions simultanées</i> <br />
#* <i>Nombre maximum de connexions : 1</i><br />
# Cliquez sur <i>OK</i> pour sauvegarder la connexion.<br />
# Testez la connexion.<br />
<br />
== MobaXTerm == <br />
Installez la version 23.1 ou une version plus récente.<br />
<br />
Pour rejoindre un serveur distant, MobaXTerm établit par défaut deux connexions&nbsp;: une première pour le terminal et une seconde pour naviguer dans les fichiers à distance. Puisque le navigateur utilise par défaut le <i>protocole SFTP</i>, votre deuxième facteur d'authentification vous est demandé une seconde fois. Pour éviter ceci, dans l'éditeur SSH, sous l'onglet <i>SSH-browser type</i>, sélectionnez <i>SCP (enhanced speed)</i> ou <i>SCP (normal speed)</i>.<br />
<br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<br />
== PuTTY ==<br />
Installez la version 0.72 ou une version plus récente. <br />
<br />
== WinSCP == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]]. <br />
<br />
== PyCharm == <br />
Assurez-vous que vous utilisez des [[SSH Keys/fr|clés SSH]].<br />
<br />
== Cyberduck ==<br />
Par défaut, Cyberduck ouvre une nouvelle connexion pour chaque transfert de fichier et vous demande chaque fois votre deuxième facteur. Pour modifier ceci, utilisez les préférences, sous <i>Transferts</i>, onglet <i>Général</i> et dans le denu déroulant de <i>Transférer des fichiers</i>, sélectionnez <i>Utiliser la connexion du navigateur</i>.<br />
<br />
Assurez-vous de ne pas cocher la case pour <i>Téléchargements segmentés avec plusieurs connexions par fichier</i>.<br />
<br />
[[File:CyberduckFRN.png|400px|Configuration pour l'authentification multifacteur]]<br />
<br />
= Foire aux questions =<br />
== J'ai un téléphone Android et je ne trouve pas l'application Duo Mobile dans Google Play. Est-ce que je peux quand même utiliser Duo? ==<br />
Oui, mais il faudra télécharger l'application du site Web de Duo :<br />
<br />
* Pour Android 8 et 9, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.33.0.apk DuoMobile-4.33.0.apk]<br />
* Pour Android 10, la dernière version compatible est [https://dl.duosecurity.com/DuoMobile-4.56.0.apk DuoMobile-4.56.0.apk]<br />
<br />
Pour validation, les sommes de hachage [https://duo.com/docs/checksums#duo-mobile SHA-256 officielles sont listées ici].<br />
<br />
Pour les instructions d'installation, [https://help.duo.com/s/article/2211?language=en_US voir les détails ici].<br />
<br />
== Je veux désactiver l'authentification multifacteur. Comment dois-je procéder? ==<br />
Cette fonctionnalité sera sous peu obligatoire et elle ne peut pas être désactivée. Nous accordons des exceptions uniquement dans le cas de processus automatisés. Si l'authentification multifacteur vous dérange, nous vous suggérons d'employer une des configurations décrites ci-dessus, selon le client SSH que vous utilisez. Vous trouverez d'autres suggestions dans [[Multifactor_authentication/fr#Webinaires_à_voir|ces webinaires]]. <br />
<br />
== Je n'ai pas de tablette ni de téléphone intelligent assez récent. Comment puis-je utiliser l'authentification multifacteur? ==<br />
Vous pouvez [[Multifactor authentication/fr#Pour_utiliser_une_clé_YubiKey|utiliser une clé YubiKey]].<br />
<br />
== J’ai perdu un appareil que j’utilisais comme deuxième facteur. Que puis-je faire? ==<br />
* Si vous avez configuré plusieurs appareils ou si vous avez généré des codes de contournement, utilisez cette autre méthode pour [https://ccdb.alliancecan.ca/multi_factor_authentications accéder à votre compte]. Dans la liste des appareils enregistrés, supprimez celui que vous avez perdu et enregistrez le nouvel appareil.<br />
* Si vous n’avez sauvegardé aucun code de contournement et que vous n’avez plus aucun des appareils que vous avez configurés, copiez la liste suivante et ajoutez-y le plus de détails possible. Faites parvenir cette information à support@tech.alliancecan.ca. <br />
<br />
Quelle est l’adresse de courriel principale enregistrée dans votre compte?<br />
Depuis combien de temps détenez-vous un compte actif avec nous?<br />
Quel est votre champ de recherche?<br />
Quelle est votre adresse IP? (pour connaître votre adresse IP, [https://whatismyipaddress.com/ cliquez sur ce lien])<br />
Quel est le nom de la chercheuse principale ou du chercheur principal qui vous parraine?<br />
Qui sont les membres de votre groupe?<br />
Avec qui pouvons-nous communiquer au sujet de votre demande?<br />
Quelles sont les grappes que vous utilisez le plus?<br />
Quels sont les modules que vous chargez le plus souvent?<br />
À quand remonte la dernière tâche que vous avez soumise?<br />
Mentionnez les identifiants de certaines de vos tâches les plus récentes.<br />
Décrivez les sujets et donnez les identifiants de vos plus récentes demandes de soutien technique.<br />
<br />
== Quels sont les clients SSH qu'on peut utiliser quand l'authentification multifacteur est configurée? ==<br />
* La plupart des clients SSH en ligne de commande, tels que ceux disponibles sur Linux ou Mac OS<br />
* MobaXTerm (voir les directives ci-dessus)<br />
* PuTTY (voir les directives ci-dessus)<br />
* Termius sur iOS<br />
* FileZilla (voir les directives ci-dessus)<br />
* JuiceSSH sur Android<br />
* WinSCP (voir les directives ci-dessus)<br />
* PyCharm (voir les directives ci-dessus)<br />
* VSCode<br />
* CyberDuck (voir les directives ci-dessus)<br />
<br />
== J'ai besoin de connexions qui se font automatiquement aux grappes à partir de mon compte; est-ce que je peux utiliser l'authentification multifacteur? ==<br />
Cette option est à l'étude, mais aucune solution générale n'est encore implémentée. Si c'est votre cas, évitez de vous inscrire au service d'authentification multifacteur et écrivez au [[Technical support/fr|soutien technique]].<br />
<br />
== Message <i>Access denied. Duo Security does not provide services in your current location</i> ==<br />
Ceci est dû au fait que Duo est un produit des États-Unis (voir [https://help.duo.com/s/article/7544?language=en_US Duo help]). Pour contourner ceci, vous devez utiliser une connexion VPN et faire comme si vous étiez d'un pays à partir duquel l'accès est permis.<br />
<br />
= Fonctions avancées =<br />
== Configurer votre YubiKey pour Yubico OTP via la ligne de commande (<code>ykman</code>)==<br />
# Installez le logiciel de ligne de commande YubiKey Manager (<code>ykman</code>) en suivant les directives pour votre système d'exploitation dans le [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman guide ykman].<br />
# Entrez votre YubiKey et prenez connaissance de l'information sur la clé avec la commande <code>ykman info</code>.<br />
# Prenez connaissance de l'information sur OTP avec la commande <code>ykman otp info</code>.<br />
# Choisissez entre Slot 1 et Slot 2 et lancez la commande <code>ykman otp yubiotp</code> pour programmer l'option.<br />
# <b>Dans un endroit sécuritaire, conservez une copie de l’identifiant public, l’identifiant privé et la clé secrète; ils seront nécessaires à la prochaine étape.</b><br />
# Connectez-vous à la CCDB pour enregistrer votre clé dans la page <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Gestion de l'authentification multifacteur]</i>.<br />
<br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication/f&diff=149486Multifactor authentication/f2024-01-30T16:08:40Z<p>Mboisson: Redirected page to Multifactor authentication/fr</p>
<hr />
<div>#REDIRECT [[Multifactor_authentication/fr]]</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Running_jobs&diff=149280Running jobs2024-01-24T15:54:57Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<translate><br />
<br />
<!--T:54--><br />
This page is intended for the user who is already familiar with the concepts of job scheduling and job scripts, and who wants guidance on submitting jobs to our clusters.<br />
If you have not worked on a large shared computer cluster before, you should probably read [[What is a scheduler?]] first.<br />
<br />
<!--T:112--><br />
{{box|<b>All jobs must be submitted via the scheduler!</b><br />
<br><br />
Exceptions are made for compilation and other tasks not expected to consume more than about 10 CPU-minutes and about 4 gigabytes of RAM. Such tasks may be run on a login node. In no case should you run processes on compute nodes except via the scheduler.}}<br />
<br />
<!--T:55--><br />
On our clusters, the job scheduler is the <br />
[https://en.wikipedia.org/wiki/Slurm_Workload_Manager Slurm Workload Manager].<br />
Comprehensive [https://slurm.schedmd.com/documentation.html documentation for Slurm] is maintained by SchedMD. If you are coming to Slurm from PBS/Torque, SGE, LSF, or LoadLeveler, you might find this table of [https://slurm.schedmd.com/rosetta.pdf corresponding commands] useful.<br />
<br />
==Use <code>sbatch</code> to submit jobs== <!--T:56--><br />
The command to submit a job is [https://slurm.schedmd.com/sbatch.html <code>sbatch</code>]:<br />
<source lang="bash"><br />
$ sbatch simple_job.sh<br />
Submitted batch job 123456<br />
</source><br />
<br />
<!--T:57--><br />
A minimal Slurm job script looks like this:<br />
{{File<br />
|name=simple_job.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
#SBATCH --time=00:15:00<br />
#SBATCH --account=def-someuser<br />
echo 'Hello, world!'<br />
sleep 30 <br />
}}<br />
<br />
<!--T:58--><br />
On general-purpose (GP) clusters, this job reserves 1 core and 256MB of memory for 15 minutes. On [[Niagara]], this job reserves the whole node with all its memory.<br />
Directives (or <i>options</i>) in the job script are prefixed with <code>#SBATCH</code> and must precede all executable commands. All available directives are described on the [https://slurm.schedmd.com/sbatch.html sbatch page]. Our policies require that you supply at least a time limit (<code>--time</code>) for each job. You may also need to supply an account name (<code>--account</code>). See [[#Accounts and projects|Accounts and projects]] below.<br />
<br />
<!--T:59--><br />
You can also specify directives as command-line arguments to <code>sbatch</code>. So for example,<br />
$ sbatch --time=00:30:00 simple_job.sh <br />
will submit the above job script with a time limit of 30 minutes. The acceptable time formats include "minutes", "minutes:seconds", "hours:minutes:seconds", "days-hours", "days-hours:minutes" and "days-hours:minutes:seconds". Please note that the time limit will strongly affect how quickly the job is started, since longer jobs are [[Job_scheduling_policies|eligible to run on fewer nodes]].<br />
<br />
<!--T:114--><br />
Please be cautious if you use a script to submit multiple Slurm jobs in a short time. Submitting thousands of jobs at a time can cause Slurm to become [[Frequently_Asked_Questions#sbatch:_error:_Batch_job_submission_failed:_Socket_timed_out_on_send/recv_operation|unresponsive]] to other users. Consider using an [[Running jobs#Array job|array job]] instead, or use <code>sleep</code> to space out calls to <code>sbatch</code> by one second or more.<br />
<br />
=== Memory === <!--T:161--><br />
<br />
<!--T:106--><br />
Memory may be requested with <code>--mem-per-cpu</code> (memory per core) or <code>--mem</code> (memory per node). On general-purpose (GP) clusters, a default memory amount of 256 MB per core will be allocated unless you make some other request. On [[Niagara]], only whole nodes are allocated along with all available memory, so a memory specification is not required there.<br />
<br />
<!--T:162--><br />
A common source of confusion comes from the fact that some memory on a node is not available to the job (reserved for the OS, etc.). The effect of this is that each node type has a maximum amount available to jobs; for instance, nominally "128G" nodes are typically configured to permit 125G of memory to user jobs. If you request more memory than a node-type provides, your job will be constrained to run on higher-memory nodes, which may be fewer in number.<br />
<br />
<!--T:163--><br />
Adding to this confusion, Slurm interprets K, M, G, etc., as [https://en.wikipedia.org/wiki/Binary_prefix binary prefixes], so <code>--mem=125G</code> is equivalent to <code>--mem=128000M</code>. See the <i>Available memory</i> column in the <i>Node characteristics</i> table for each GP cluster for the Slurm specification of the maximum memory you can request on each node: [[Béluga/en#Node_characteristics|Béluga]], [[Cedar#Node_characteristics|Cedar]], [[Graham#Node_characteristics|Graham]], [[Narval/en#Node_characteristics|Narval]].<br />
<br />
==Use <code>squeue</code> or <code>sq</code> to list jobs== <!--T:60--><br />
<br />
<!--T:61--><br />
The general command for checking the status of Slurm jobs is <code>squeue</code>, but by default it supplies information about <b>all</b> jobs in the system, not just your own. You can use the shorter <code>sq</code> to list only your own jobs:<br />
<br />
<!--T:62--><br />
<source lang="bash"><br />
$ sq<br />
JOBID USER ACCOUNT NAME ST TIME_LEFT NODES CPUS GRES MIN_MEM NODELIST (REASON)<br />
123456 smithj def-smithj simple_j R 0:03 1 1 (null) 4G cdr234 (None)<br />
123457 smithj def-smithj bigger_j PD 2-00:00:00 1 16 (null) 16G (Priority)<br />
</source><br />
<br />
<!--T:12--><br />
The ST column of the output shows the status of each job. The two most common states are PD for <i>pending</i> or R for <i>running</i>. <br />
<br />
<!--T:167--><br />
If you want to know more about the output of <code>sq</code> or <code>squeue</code>, or learn how to change the output, see the [https://slurm.schedmd.com/squeue.html online manual page for squeue]. <code>sq</code> is a local customization.<br />
<br />
<!--T:115--><br />
<b>Do not</b> run <code>sq</code> or <code>squeue</code> from a script or program at high frequency (e.g. every few seconds). Responding to <code>squeue</code> adds load to Slurm, and may interfere with its performance or correct operation. See [[#Email_notification|Email notification]] below for a much better way to learn when your job starts or ends.<br />
<br />
==Where does the output go?== <!--T:63--><br />
<br />
<!--T:64--><br />
By default the output is placed in a file named "slurm-", suffixed with the job ID number and ".out" (e.g. <code>slurm-123456.out</code>), in the directory from which the job was submitted.<br />
Having the job ID as part of the file name is convenient for troubleshooting.<br />
<br />
<!--T:176--><br />
A different name or location can be specified if your workflow requires it by using the <code>--output</code> directive.<br />
Certain replacement symbols can be used in a filename specified this way, such as the job ID number, the job name, or the [[Job arrays|job array]] task ID.<br />
See the [https://slurm.schedmd.com/sbatch.html vendor documentation on sbatch] for a complete list of replacement symbols and some examples of their use.<br />
<br />
<!--T:16--><br />
Error output will normally appear in the same file as standard output, just as it would if you were typing commands interactively. If you want to send the standard error channel (stderr) to a separate file, use <code>--error</code>.<br />
<br />
==Accounts and projects== <!--T:66--><br />
<br />
<!--T:67--><br />
Every job must have an associated account name corresponding to a [[Frequently_Asked_Questions_about_the_CCDB#What_is_a_RAP.3F|Resource Allocation Project]] (RAP). If you are a member of only one account, the scheduler will automatically associate your jobs with that account.<br />
<br />
<!--T:107--><br />
If you receive one of the following messages when you submit a job, then you have access to more than one account:<br />
<pre><br />
You are associated with multiple _cpu allocations...<br />
Please specify one of the following accounts to submit this job:<br />
</pre><br />
<br />
<!--T:108--><br />
<pre><br />
You are associated with multiple _gpu allocations...<br />
Please specify one of the following accounts to submit this job:<br />
</pre> <br />
<br />
<!--T:173--><br />
In this case, use the <code>--account</code> directive to specify one of the accounts listed in the error message, e.g.:<br />
#SBATCH --account=def-user-ab<br />
<br />
<!--T:68--><br />
To find out which account name corresponds<br />
to a given Resource Allocation Project, log in to [https://ccdb.alliancecan.ca CCDB] <br />
and click on <i>My Account -> My Resources and Allocations</i>. You will see a list of all the projects <br />
you are a member of. The string you should use with the <code>--account</code> for <br />
a given project is under the column <i>Group Name</i>. Note that a Resource <br />
Allocation Project may only apply to a specific cluster (or set of clusters) and therefore<br />
may not be transferable from one cluster to another. <br />
<br />
<!--T:69--><br />
In the illustration below, jobs submitted with <code>--account=def-fuenma</code> will be accounted against RAP zhf-914-aa<br />
<br />
<!--T:70--><br />
[[File:Find-group-name-EN.png|750px|frame|left| Finding the group name for a Resource Allocation Project (RAP)]]<br />
<br clear=all> <!-- This is to prevent the next section from filling to the right of the image. --><br />
<br />
<!--T:71--><br />
If you plan to use one account consistently for all jobs, once you have determined the right account name you may find it convenient to set the following three environment variables in your <code>~/.bashrc</code> file:<br />
export SLURM_ACCOUNT=def-someuser<br />
export SBATCH_ACCOUNT=$SLURM_ACCOUNT<br />
export SALLOC_ACCOUNT=$SLURM_ACCOUNT<br />
Slurm will use the value of <code>SBATCH_ACCOUNT</code> in place of the <code>--account</code> directive in the job script. Note that even if you supply an account name inside the job script, <i>the environment variable takes priority.</i> In order to override the environment variable, you must supply an account name as a command-line argument to <code>sbatch</code>.<br />
<br />
<!--T:72--><br />
<code>SLURM_ACCOUNT</code> plays the same role as <code>SBATCH_ACCOUNT</code>, but for the <code>srun</code> command instead of <code>sbatch</code>. The same idea holds for <code>SALLOC_ACCOUNT</code>.<br />
<br />
== Examples of job scripts == <!--T:17--><br />
<br />
=== Serial job === <!--T:146--><br />
A serial job is a job which only requests a single core. It is the simplest type of job. The "simple_job.sh" which appears above in [[#Use_sbatch_to_submit_jobs|Use sbatch to submit jobs]] is an example.<br />
<br />
=== Array job === <!--T:27--><br />
Also known as a <i>task array</i>, an array job is a way to submit a whole set of jobs with one command. The individual jobs in the array are distinguished by an environment variable, <code>$SLURM_ARRAY_TASK_ID</code>, which is set to a different value for each instance of the job. The following example will create 10 tasks, with values of <code>$SLURM_ARRAY_TASK_ID</code> ranging from 1 to 10:<br />
<br />
<!--T:147--><br />
{{File<br />
|name=array_job.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
#SBATCH --account=def-someuser<br />
#SBATCH --time=0-0:5<br />
#SBATCH --array=1-10<br />
./myapplication $SLURM_ARRAY_TASK_ID<br />
}}<br />
<br />
<!--T:142--><br />
For more examples, see [[Job arrays]]. See [https://slurm.schedmd.com/job_array.html Job Array Support] for detailed documentation.<br />
<br />
=== Threaded or OpenMP job === <!--T:21--><br />
This example script launches a single process with eight CPU cores. Bear in mind that for an application to use OpenMP it must be compiled with the appropriate flag, e.g. <code>gcc -fopenmp ...</code> or <code>icc -openmp ...</code><br />
<br />
<!--T:22--><br />
{{File<br />
|name=openmp_job.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
#SBATCH --account=def-someuser<br />
#SBATCH --time=0-0:5<br />
#SBATCH --cpus-per-task=8<br />
export OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK<br />
./ompHello<br />
}}<br />
<br />
=== MPI job === <!--T:18--><br />
<br />
<!--T:51--><br />
This example script launches four MPI processes, each with 1024 MB of memory. The run time is limited to 5 minutes. <br />
<br />
<!--T:19--><br />
{{File<br />
|name=mpi_job.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
#SBATCH --account=def-someuser<br />
#SBATCH --ntasks=4 # number of MPI processes<br />
#SBATCH --mem-per-cpu=1024M # memory; default unit is megabytes<br />
#SBATCH --time=0-00:05 # time (DD-HH:MM)<br />
srun ./mpi_program # mpirun or mpiexec also work<br />
}}<br />
<br />
<!--T:20--><br />
Large MPI jobs, specifically those which can efficiently use whole nodes, should use <code>--nodes</code> and <code>--ntasks-per-node</code> instead of <code>--ntasks</code>. Hybrid MPI/threaded jobs are also possible. For more on these and other options relating to distributed parallel jobs, see [[Advanced MPI scheduling]].<br />
<br />
<!--T:23--><br />
For more on writing and running parallel programs with OpenMP, see [[OpenMP]].<br />
<br />
=== GPU job === <!--T:24--><br />
There are many options involved in requesting GPUs because <br />
* the GPU-equipped nodes at [[Cedar]] and [[Graham]] have different configurations,<br />
* there are two different configurations at Cedar, and <br />
*there are different policies for the different Cedar GPU nodes. <br />
Please see [[Using GPUs with Slurm]] for a discussion and examples of how to schedule various job types on the available GPU resources.<br />
<br />
== Interactive jobs == <!--T:28--><br />
Though batch submission is the most common and most efficient way to take advantage of our clusters, interactive jobs are also supported. These can be useful for things like:<br />
* Data exploration at the command line<br />
* Interactive console tools like R and iPython<br />
* Significant software development, debugging, or compiling<br />
<br />
<!--T:29--><br />
You can start an interactive session on a compute node with [https://slurm.schedmd.com/salloc.html salloc]. In the following example we request one task, which corresponds to one CPU cores and 3 GB of memory, for an hour:<br />
$ salloc --time=1:0:0 --mem-per-cpu=3G --ntasks=1 --account=def-someuser<br />
salloc: Granted job allocation 1234567<br />
$ ... # do some work<br />
$ exit # terminate the allocation<br />
salloc: Relinquishing job allocation 1234567<br />
<br />
<!--T:129--><br />
It is also possible to run graphical programs interactively on a compute node by adding the <b>--x11</b> flag to your <code<salloc</code> command. In order for this to work, you must first connect to the cluster with X11 forwarding enabled (see the [[SSH]] page for instructions on how to do that). Note that an interactive job with a duration of three hours or less will likely start very soon after submission as we have dedicated test nodes for jobs of this duration. Interactive jobs that request more than three hours run on the cluster's regular set of nodes and may wait for many hours or even days before starting, at an unpredictable (and possibly inconvenient) hour.<br />
<br />
== Monitoring jobs == <!--T:31--><br />
<br />
=== Current jobs === <!--T:148--><br />
<br />
<!--T:32--><br />
By default [https://slurm.schedmd.com/squeue.html squeue] will show all the jobs the scheduler is managing at the moment. It will run much faster if you ask only about your own jobs with<br />
$ squeue -u $USER<br />
You can also use the utility <code>sq</code> to do the same thing with less typing.<br />
<br />
<!--T:33--><br />
You can show only running jobs, or only pending jobs:<br />
$ squeue -u <username> -t RUNNING<br />
$ squeue -u <username> -t PENDING<br />
<br />
<!--T:34--><br />
You can show detailed information for a specific job with [https://slurm.schedmd.com/scontrol.html scontrol]:<br />
$ scontrol show job -dd <jobid><br />
<br />
<!--T:160--><br />
<b>Do not</b> run <code>squeue</code> from a script or program at high frequency (e.g., every few seconds). Responding to <code>squeue</code> adds load to Slurm and may interfere with its performance or correct operation. <br />
<br />
==== Email notification ==== <!--T:149--><br />
<br />
<!--T:36--><br />
You can ask to be notified by email of certain job conditions by supplying options to sbatch:<br />
#SBATCH --mail-user=your.email@example.com<br />
#SBATCH --mail-type=ALL<br />
For a complete list of the options see [https://slurm.schedmd.com/sbatch.html#OPT_mail-type SchedMD's documentation].<br />
<br />
==== Output buffering ==== <!--T:168--><br />
<br />
<!--T:169--><br />
Output from a non-interactive Slurm job is normally <i>buffered</i>, which means that there is usually a delay between when data is written by the job and when you can see the output on a login node. Depending on the application, you are running and the load on the filesystem, this delay can range from less than a second to many minutes, or until the job completes.<br />
<br />
<!--T:170--><br />
There are methods to reduce or eliminate the buffering, but we do not recommend using them because buffering is vital to preserving the overall performance of the filesystem. If you need to monitor the output from a job in <i>real time</i>, we recommend you run an [[#Interactive_jobs|interactive job]] as described above.<br />
<br />
=== Completed jobs === <!--T:150--><br />
<br />
<!--T:151--><br />
Get a short summary of the CPU and memory efficiency of a job with <code>seff</code>:<br />
$ seff 12345678<br />
Job ID: 12345678<br />
Cluster: cedar<br />
User/Group: jsmith/jsmith<br />
State: COMPLETED (exit code 0)<br />
Cores: 1<br />
CPU Utilized: 02:48:58<br />
CPU Efficiency: 99.72% of 02:49:26 core-walltime<br />
Job Wall-clock time: 02:49:26<br />
Memory Utilized: 213.85 MB<br />
Memory Efficiency: 0.17% of 125.00 GB<br />
<br />
<!--T:35--><br />
Find more detailed information about a completed job with [https://slurm.schedmd.com/sacct.html sacct], and optionally, control what it prints using <code>--format</code>:<br />
$ sacct -j <jobid><br />
$ sacct -j <jobid> --format=JobID,JobName,MaxRSS,Elapsed<br />
<br />
<!--T:153--><br />
The output from <code>sacct</code> typically includes records labelled <code>.bat+</code> and <code>.ext+</code>, and possibly <code>.0, .1, .2, ...</code>. <br />
The batch step (<code>.bat+</code>) is your submission script - for many jobs that's where the main part of the work is done and where the resources are consumed.<br />
If you use <code>srun</code> in your submission script, that would create a <code>.0</code> step that would consume most of the resources. <br />
The extern (<code>.ext+</code>) step is basically prologue and epilogue and normally doesn't consume any significant resources.<br />
<br />
<!--T:73--><br />
If a node fails while running a job, the job may be restarted. <code>sacct</code> will normally show you only the record for the last (presumably successful) run. If you wish to see all records related to a given job, add the <code>--duplicates</code> option.<br />
<br />
<!--T:52--><br />
Use the MaxRSS accounting field to determine how much memory a job needed. The value returned will be the largest [https://en.wikipedia.org/wiki/Resident_set_size resident set size] for any of the tasks. If you want to know which task and node this occurred on, print the MaxRSSTask and MaxRSSNode fields also.<br />
<br />
<!--T:53--><br />
The [https://slurm.schedmd.com/sstat.html sstat] command works on a running job much the same way that [https://slurm.schedmd.com/sacct.html sacct] works on a completed job.<br />
<br />
=== Attaching to a running job === <!--T:130--><br />
It is possible to connect to the node running a job and execute new processes there. You might want to do this for troubleshooting or to monitor the progress of a job.<br />
<br />
<!--T:131--><br />
Suppose you want to run the utility [https://developer.nvidia.com/nvidia-system-management-interface <code>nvidia-smi</code>] to monitor GPU usage on a node where you have a job running. The following command runs <code>watch</code> on the node assigned to the given job, which in turn runs <code>nvidia-smi</code> every 30 seconds, displaying the output on your terminal.<br />
<br />
<!--T:132--><br />
$ srun --jobid 123456 --pty watch -n 30 nvidia-smi<br />
<br />
<!--T:133--><br />
It is possible to launch multiple monitoring commands using [https://en.wikipedia.org/wiki/Tmux <code>tmux</code>]. The following command launches <code>htop</code> and <code>nvidia-smi</code> in separate panes to monitor the activity on a node assigned to the given job.<br />
<br />
<!--T:134--><br />
$ srun --jobid 123456 --pty tmux new-session -d 'htop -u $USER' \; split-window -h 'watch nvidia-smi' \; attach<br />
<br />
<!--T:135--><br />
Processes launched with <code>srun</code> share the resources with the job specified. You should therefore be careful not to launch processes that would use a significant portion of the resources allocated for the job. Using too much memory, for example, might result in the job being killed; using too many CPU cycles will slow down the job.<br />
<br />
<!--T:136--><br />
<b>Noteː</b> The <code>srun</code> commands shown above work only to monitor a job submitted with <code>sbatch</code>. To monitor an interactive job, create multiple panes with <code>tmux</code> and start each process in its own pane.<br />
<br />
==Cancelling jobs== <!--T:37--><br />
<br />
<!--T:38--><br />
Use [https://slurm.schedmd.com/scancel.html scancel] with the job ID to cancel a job:<br />
<br />
<!--T:39--><br />
$ scancel <jobid><br />
<br />
<!--T:40--><br />
You can also use it to cancel all your jobs, or all your pending jobs:<br />
<br />
<!--T:41--><br />
$ scancel -u $USER<br />
$ scancel -t PENDING -u $USER<br />
<br />
== Resubmitting jobs for long-running computations == <!--T:74--><br />
<br />
<!--T:75--><br />
When a computation is going to require a long time to complete, so long that it cannot be done within the time limits on the system, <br />
the application you are running must support [[Points de contrôle/en|checkpointing]]. The application should be able to save its state to a file, called a >i>checkpoint file</i>, and<br />
then it should be able to restart and continue the computation from that saved state. <br />
<br />
<!--T:76--><br />
For many users restarting a calculation will be rare and may be done manually, <br />
but some workflows require frequent restarts. <br />
In this case some kind of automation technique may be employed. <br />
<br />
<!--T:77--><br />
Here are two recommended methods of automatic restarting:<br />
* Using SLURM <b>job arrays</b>.<br />
* Resubmitting from the end of the job script.<br />
<br />
<!--T:172--><br />
Our [[Tutoriel Apprentissage machine/en|Machine Learning tutorial]] covers [[Tutoriel_Apprentissage_machine/en#Checkpointing_a_long-running_job|resubmitting for long machine learning jobs]].<br />
<br />
=== Restarting using job arrays === <!--T:90--><br />
<br />
<!--T:91--><br />
Using the <code>--array=1-100%10</code> syntax one can submit a collection of identical jobs with the condition that only one job of them will run at any given time.<br />
The script should be written to ensure that the last checkpoint is always used for the next job. The number of restarts is fixed by the <code>--array</code> argument.<br />
<br />
<!--T:78--><br />
Consider, for example, a molecular dynamics simulations that has to be run for 1 000 000 steps, and such simulation does not fit into the time limit on the cluster. <br />
We can split the simulation into 10 smaller jobs of 100 000 steps, one after another. <br />
<br />
<!--T:79--><br />
An example of using a job array to restart a simulation:<br />
{{File<br />
|name=job_array_restart.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
# ---------------------------------------------------------------------<br />
# SLURM script for a multi-step job on our clusters. <br />
# ---------------------------------------------------------------------<br />
#SBATCH --account=def-someuser<br />
#SBATCH --cpus-per-task=1<br />
#SBATCH --time=0-10:00<br />
#SBATCH --mem=100M<br />
#SBATCH --array=1-10%1 # Run a 10-job array, one job at a time.<br />
# ---------------------------------------------------------------------<br />
echo "Current working directory: `pwd`"<br />
echo "Starting run at: `date`"<br />
# ---------------------------------------------------------------------<br />
echo ""<br />
echo "Job Array ID / Job ID: $SLURM_ARRAY_JOB_ID / $SLURM_JOB_ID"<br />
echo "This is job $SLURM_ARRAY_TASK_ID out of $SLURM_ARRAY_TASK_COUNT jobs."<br />
echo ""<br />
# ---------------------------------------------------------------------<br />
# Run your simulation step here...<br />
<br />
<!--T:92--><br />
if test -e state.cpt; then <br />
# There is a checkpoint file, restart;<br />
mdrun --restart state.cpt<br />
else<br />
# There is no checkpoint file, start a new simulation.<br />
mdrun<br />
fi<br />
<br />
<!--T:93--><br />
# ---------------------------------------------------------------------<br />
echo "Job finished with exit code $? at: `date`"<br />
# ---------------------------------------------------------------------<br />
}}<br />
<br />
=== Resubmission from the job script === <!--T:94--><br />
<br />
<!--T:95--><br />
In this case one submits a job that runs the first chunk of the calculation and saves a checkpoint. <br />
Once the chunk is done but before the allocated run-time of the job has elapsed,<br />
the script checks if the end of the calculation has been reached.<br />
If the calculation is not yet finished, the script submits a copy of itself to continue working.<br />
<br />
<!--T:96--><br />
An example of a job script with resubmission:<br />
{{File<br />
|name=job_resubmission.sh<br />
|lang="sh"<br />
|contents=<br />
#!/bin/bash<br />
# ---------------------------------------------------------------------<br />
# SLURM script for job resubmission on our clusters. <br />
# ---------------------------------------------------------------------<br />
#SBATCH --job-name=job_chain<br />
#SBATCH --account=def-someuser<br />
#SBATCH --cpus-per-task=1<br />
#SBATCH --time=0-10:00<br />
#SBATCH --mem=100M<br />
# ---------------------------------------------------------------------<br />
echo "Current working directory: `pwd`"<br />
echo "Starting run at: `date`"<br />
# ---------------------------------------------------------------------<br />
# Run your simulation step here...<br />
<br />
<!--T:100--><br />
if test -e state.cpt; then <br />
# There is a checkpoint file, restart;<br />
mdrun --restart state.cpt<br />
else<br />
# There is no checkpoint file, start a new simulation.<br />
mdrun<br />
fi<br />
<br />
<!--T:101--><br />
# Resubmit if not all work has been done yet.<br />
# You must define the function work_should_continue().<br />
if work_should_continue; then<br />
sbatch ${BASH_SOURCE[0]}<br />
fi<br />
<br />
<!--T:102--><br />
# ---------------------------------------------------------------------<br />
echo "Job finished with exit code $? at: `date`"<br />
# ---------------------------------------------------------------------<br />
}}<br />
<br />
<!--T:143--><br />
<b>Please note:</b> The test to determine whether to submit a follow-up job, abbreviated as <code>work_should_continue</code> in the above example, should be a <i>positive test</i>. There may be a temptation to test for a stopping condition (e.g. is some convergence criterion met?) and submit a new job if the condition is <i>not</i> detected. But if some error arises that you didn't foresee, the stopping condition might never be met and your chain of jobs may continue indefinitely, doing nothing useful.<br />
<br />
== Automating job submission == <!--T:174--><br />
As described earlier, [[#Array job|array jobs]] can be used to automate job submission. We provide a few other (more advanced) tools designed to facilitate running a large number of related serial, parallel, or GPU calculations. This practice is sometimes called <i>farming</i>, <i>serial farming</i>, or <i>task farming</i>. In addition to automating the workflow, these tools can also improve computational efficiency by bundling up many short computations into fewer tasks of longer duration.<br />
<br />
<!--T:175--><br />
The following tools are available on our clusters:<br />
* [[META-Farm]]<br />
* [[GNU Parallel]]<br />
* [[GLOST]]<br />
<br />
=== Do not specify a partition === <!--T:177--><br />
<br />
<!--T:178--><br />
Certain software packages such as [https://github.com/alekseyzimin/masurca Masurca] operate by submitting jobs to Slurm automatically, and expect a partition to be specified for each job. This is in conflict with what we recommend, which is that you should allow the scheduler to assign a partition to your job based on the resources it requests. If you are using such a piece of software, you may configure the software to use <code>--partition=default</code>, which the script treats the same as not specifying a partition.<br />
<br />
== Cluster particularities == <!--T:154--><br />
<br />
<!--T:155--><br />
There are certain differences in the job scheduling policies from one of our clusters to another and these are summarized by tab in the following section:<br />
<br />
<!--T:156--><br />
<tabs><br />
<tab name="Beluga"><br />
On Beluga, no jobs are permitted longer than 168 hours (7 days) and there is a limit of 1000 jobs, queued and running, per user. Production jobs should have a duration of at least an hour. <br />
</tab><br />
<tab name="Cedar"><br />
Jobs may not be submitted from directories on the /home filesystem on Cedar; the maximum duration for a job is 28 days. This is to reduce the load on that filesystem and improve the responsiveness for interactive work. If the command <code>readlink -f $(pwd) | cut -d/ -f2</code> returns <code>home</code>, you are not permitted to submit jobs from that directory. Transfer the files from that directory either to a /project or /scratch directory and submit the job from there.<br />
</tab><br />
<br />
<!--T:179--><br />
<tab name="Graham"><br />
On Graham, no jobs are permitted longer than 168 hours (7 days) and there is a limit of 1000 jobs, queued and running, per user. Production jobs should have a duration of at least an hour. <br />
</tab><br />
<br />
<!--T:180--><br />
<tab name="Narval"><br />
On Narval, no jobs are permitted longer than 168 hours (7 days) and there is a limit of 1000 jobs, queued and running, per user. Production jobs should have a duration of at least an hour. <br />
</tab><br />
<br />
<!--T:181--><br />
<tab name="Niagara"><br />
<ul><br />
<li><p>Scheduling is by node, so in multiples of 40-cores.</p></li><br />
<li><p> Your job's maximum walltime is 24 hours.</p></li><br />
<li><p>Jobs must write to your scratch or project directory (home is read-only on compute nodes).</p></li><br />
<li><p>Compute nodes have no internet access.</p><br />
<p>[[Data_Management_at_Niagara#Moving_data | Move your data]] to Niagara before you submit your job.</p></li></ul><br />
</tab><br />
</tabs><br />
<br />
== Troubleshooting == <!--T:42--><br />
<br />
==== Avoid hidden characters in job scripts ==== <!--T:43--><br />
Preparing a job script with a word processor instead of a text editor is a common cause of trouble. Best practice is to prepare your job script on the cluster using an editor such as nano, vim, or emacs. If you prefer to prepare or alter the script off-line, then:<br />
* '''Windows users:''' <br />
** Use a text editor such as Notepad or [https://notepad-plus-plus.org/ Notepad++].<br />
** After uploading the script, use <code>dos2unix</code> to change Windows end-of-line characters to Linux end-of-line characters. <br />
* '''Mac users:'''<br />
** Open a terminal window and use an editor such as nano, vim, or emacs.<br />
<br />
==== Cancellation of jobs with dependency conditions which cannot be met ==== <!--T:109--><br />
A job submitted with <code>--dependency=afterok:<jobid></code> is a <i>dependent job</i>. A dependent job will wait for the parent job to be completed. If the parent job fails (that is, ends with a non-zero exit code) the dependent job can never be scheduled and so will be automatically cancelled. See [https://slurm.schedmd.com/sbatch.html#OPT_dependency sbatch] for more on dependency.<br />
<br />
==== Job cannot load a module ==== <!--T:116--><br />
It is possible to see an error such as:<br />
<br />
<!--T:117--><br />
Lmod has detected the following error: These module(s) exist but cannot be<br />
loaded as requested: "<module-name>/<version>"<br />
Try: "module spider <module-name>/<version>" to see how to load the module(s).<br />
<br />
<!--T:118--><br />
This can occur if the particular module has an unsatisfied prerequisite. For example<br />
<br />
<!--T:119--><br />
<source lang="console"><br />
$ module load gcc<br />
$ module load quantumespresso/6.1<br />
Lmod has detected the following error: These module(s) exist but cannot be loaded as requested: "quantumespresso/6.1"<br />
Try: "module spider quantumespresso/6.1" to see how to load the module(s).<br />
$ module spider quantumespresso/6.1<br />
<br />
<!--T:120--><br />
-----------------------------------------<br />
quantumespresso: quantumespresso/6.1<br />
------------------------------------------<br />
Description:<br />
Quantum ESPRESSO is an integrated suite of computer codes for electronic-structure calculations and materials modeling at the nanoscale. It is based on density-functional theory, plane waves, and pseudopotentials (both<br />
norm-conserving and ultrasoft).<br />
<br />
<!--T:121--><br />
Properties:<br />
Chemistry libraries/apps / Logiciels de chimie<br />
<br />
<!--T:122--><br />
You will need to load all module(s) on any one of the lines below before the "quantumespresso/6.1" module is available to load.<br />
<br />
<!--T:123--><br />
nixpkgs/16.09 intel/2016.4 openmpi/2.1.1<br />
<br />
<!--T:124--><br />
Help:<br />
<br />
<!--T:125--><br />
Description<br />
===========<br />
Quantum ESPRESSO is an integrated suite of computer codes<br />
for electronic-structure calculations and materials modeling at the nanoscale.<br />
It is based on density-functional theory, plane waves, and pseudopotentials<br />
(both norm-conserving and ultrasoft).<br />
<br />
<br />
<!--T:126--><br />
More information<br />
================<br />
- Homepage: http://www.pwscf.org/<br />
</source><br />
<br />
<!--T:127--><br />
In this case adding the line <code>module load nixpkgs/16.09 intel/2016.4 openmpi/2.1.1</code> to your job script before loading quantumespresso/6.1 will solve the problem.<br />
<br />
==== Jobs inherit environment variables ==== <!--T:128--><br />
By default a job will inherit the environment variables of the shell where the job was submitted. The [[Using modules|module]] command, which is used to make various software packages available, changes and sets environment variables. Changes will propagate to any job submitted from the shell and thus could affect the job's ability to load modules if there are missing prerequisites. It is best to include the line <code>module purge</code> in your job script before loading all the required modules to ensure a consistent state for each job submission and avoid changes made in your shell affecting your jobs.<br />
<br />
<!--T:152--><br />
Inheriting environment settings from the submitting shell can sometimes lead to hard-to-diagnose problems. If you wish to suppress this inheritance, use the <code>--export=none</code> directive when submitting jobs.<br />
<br />
==== Job hangs / no output / incomplete output ==== <!--T:165--><br />
<br />
<!--T:166--><br />
Sometimes a submitted job writes no output to the log file for an extended period of time, looking like it is hanging. A common reason for this is the aggressive [[#Output_buffering|buffering]] performed by the Slurm scheduler, which will aggregate many output lines before flushing them to the log file. Often the output file will only be written after the job completes; and if the job is cancelled (or runs out of time), part of the output may be lost. If you wish to monitor the progress of your submitted job as it runs, consider running an [[#Interactive_jobs|interactive job]]. This is also a good way to find how much time your job needs.<br />
<br />
== Job status and priority == <!--T:103--><br />
* For a discussion of how job priority is determined and how things like time limits may affect the scheduling of your jobs at Cedar and Graham, see [[Job scheduling policies]].<br />
* If jobs ''within your research group'' are competing with one another, please see [[Managing_Slurm_accounts|Managing Slurm accounts]].<br />
<br />
== Further reading == <!--T:44--><br />
* Comprehensive [https://slurm.schedmd.com/documentation.html documentation] is maintained by SchedMD, as well as some [https://slurm.schedmd.com/tutorials.html tutorials].<br />
** [https://slurm.schedmd.com/sbatch.html sbatch] command options<br />
* There is also a [https://slurm.schedmd.com/rosetta.pdf "Rosetta stone"] mapping commands and directives from PBS/Torque, SGE, LSF, and LoadLeveler, to SLURM.<br />
* Here is a text tutorial from [http://www.ceci-hpc.be/slurm_tutorial.html CÉCI], Belgium<br />
* Here is a rather minimal text tutorial from [http://www.brightcomputing.com/blog/bid/174099/slurm-101-basic-slurm-usage-for-linux-clusters Bright Computing]<br />
<br />
<!--T:48--><br />
[[Category:SLURM]]<br />
<br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=149188Automation in the context of multifactor authentication2024-01-22T21:51:30Z<p>Mboisson: </p>
<hr />
<div>Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform. <br />
<br />
= Increased security restrictions =<br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[Technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys ==<br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <tt>.ssh/authorized_keys</tt> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <tt>restrict</tt> constraint ===<br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workload. This constraint is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used for this. <br />
<br />
=== <tt>from="pattern-list"</tt> constraint ===<br />
The <tt>from="pattern-list"</tt> constraint specifies that this key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The pattern list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <tt>192.168.*.*</tt> would not be accepted, but <tt>192.168.1.*</tt> would be accepted. <br />
<br />
=== <tt>command="COMMAND"</tt> constraint ===<br />
The <tt>command="COMMAND"</tt> constraint forces the command <tt>COMMAND</tt> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <tt>command=</tt> ==<br />
<tt>command</tt> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based what command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</tt> will allow only file transfers, such as <tt>scp</tt>, <tt>sftp</tt> or <tt>rsync</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</tt> will allow commands to archive files, such as <tt>gzip</tt>, <tt>tar</tt> or <tt>dar</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</tt> will allow commands to manipulate files, such as <tt>mv</tt>, <tt>cp</tt> or <tt>rm</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</tt> will allow the <tt>git</tt> command.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</tt> will allow some Slurm commands, such as <tt>squeue</tt>, <tt>sbatch</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</tt> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys ==<br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <tt>scp</tt>, <tt>sftp</tt> or <tt>rsync</tt> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Using the right key =<br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command that you are using. Below are a few examples. <br />
<br />
With <tt>ssh</tt> or <tt>scp</tt>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
With <tt>rsync</tt>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Cedar/fr&diff=149117Cedar/fr2024-01-16T20:48:13Z<p>Mboisson: </p>
<hr />
<div><noinclude><languages /><br />
<br />
{| class="wikitable"<br />
|-<br />
| Disponibilité : depuis le 30 juin 2017, dans le cadre du concours d'allocation des ressources pour 2017<br />
|-<br />
| Nœud frontal (<i>login node</i>) : <b>cedar.alliancecan.ca</b><br />
|-<br />
| Point de chute Globus : <b>computecanada#cedar-globus</b><br />
|-<br />
| État de la grappe : <b>https://status.alliancecan.ca/</b><br />
|}<br />
<br />
Cedar est une grappe hétérogène adaptée pour plusieurs types de tâches; elle est située à l'Université Simon-Fraser. Son nom rappelle le [https://fr.wikipedia.org/wiki/Thuja_plicata cèdre de l'Ouest], arbre officiel de la Colombie-Britannique dont la signification spirituelle est importante pour les Premières Nations de la région.<br />
<br/><br />
Le fournisseur est Scalar Decisions Inc.; les nœuds sont des produits Dell; le système de fichiers de stockage /scratch haute performance est de DDN; la réseautique est d'Intel. Un système de refroidissement liquide utilise des échangeurs de chaleur à même les portes arrière.<br />
<br/><br />
IMPORTANT : La version 4 de Globus ne supporte plus les points de chute et <b>computecanada#cedar-dtn</b> n'est plus disponible. Veuillez utiliser le point de chute de la version 5, <b>computecanada#cedar-globus</b>.<br />
<br />
[[Getting started/fr| Introduction à Cedar]]<br><br />
[[Running_jobs/fr|Exécuter des tâches]]<br><br />
[[Transferring_data|Transférer des données]]<br><br />
<br />
=Stockage=<br />
<br />
{| class="wikitable sortable"<br />
|-<br />
| <b>espace /home</b><br />volume total 526To||<br />
* localisation des répertoires /home<br /><br />
* chaque répertoire /home a un petit [[Storage and file management/fr#Quotas_et_politiques|quota]] fixe<br />
* non alloué via le [https://alliancecan.ca/fr/services/calcul-informatique-de-pointe/acces-aux-ressources/service-dacces-rapide service d'accès rapide] ou le [https://alliancecan.ca/fr/services/calcul-informatique-de-pointe/acces-aux-ressources/concours-pour-lallocation-de-ressources concours d'allocation de ressources]; le stockage de grande envergure se fait sur /project<br />
* est sauvegardé chaque jour<br />
|-<br />
| <b>espace /scratch</b>, <br />volume total 5.4Po<br />système de fichiers parallèle de haute performance ||<br />
* stockage actif ou temporaire <br /><br />
* non alloué<br />
* grand [[Storage and file management/fr#Quotas_et_politiques|quota]] fixe, par utilisateur<br />
* les données inactives sont [[Scratch purging policy/fr|purgées]]<br />
|-<br />
|<b>espace /project</b><br />volume total 23Po<br />stockage persistant externe<br />
||<br />
* ne convient pas aux tâches d'écriture et de lecture parallèles; utiliser plutôt l'espace /scratch<br />
* grand [[Storage and file management/fr#Quotas_et_politiques|quota]] ajustable, par projet<br />
* est sauvegardé chaque jour<br />
|}<br />
<br />
Le stockage temporaire (/scratch) est un système de fichiers Lustre basé sur la technologie DDN, modèle ES14K. Il est composé de 640 disques NL-SAS de 8To chacun, avec un double contrôleur de métadonnées dont les disques sont des SSD.<br />
<br />
=Réseautique haute performance=<br />
<br />
<i>Réseautique Intel OmniPath (version 1, bande passante de 100Gbit/s).</i><br />
<br />
Une réseautique à faible latence et haute performance pour tous les nœuds de calcul et le stockage temporaire.<br />
<br />
L'architecture a été planifiée pour supporter de multiples tâches parallèles utilisant jusqu'à 1024 cœurs Broadwell (32 nœuds) ou 1536 cœurs Skylake (32 nœuds) ou 1536 cœurs Cascade Lake (32 nœuds) grâce à une réseautique non bloquante. Pour les plus grandes tâches, le réseau a un facteur de blocage de 2:1. Même pour les tâches de plusieurs milliers de cœurs, Cedar est une bonne option.<br />
<br />
=Caractéristiques des nœuds=<br />
<br />
Cedar offre 100,400 cœurs CPU pour le calcul et 1352 GPU. TurboBoost est désactivé sur tous les nœuds.<br />
<br />
{| class="wikitable sortable"<br />
! nœuds !! cœurs !! mémoire disponible !! CPU !! stockage !! GPU <br />
|-<br />
| 576 || 32 || 125G ou 128000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 96 || 32 || 250G ou 257000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 24 || 32 || 502G ou 515000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 24 || 32 || 1510G ou 1547000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 4 || 32 || 3022G ou 3095000M || 4 x Intel E7-4809 v4 Broadwell @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 114 || 24 || 125G ou 128000M || 2 x Intel E5-2650 v4 Broadwell @ 2.2GHz || 1 x SSD 800G || 4 x NVIDIA P100 Pascal (mémoire HBM2 12G)<br />
|-<br />
| 32 || 24 || 250G ou 257000M || 2 x Intel E5-2650 v4 Broadwell @ 2.2GHz || 1 x SSD 800G || 4 x NVIDIA P100 Pascal (mémoire HBM2 16G)<br />
|-<br />
| 192 || 32 || 187G ou 192000M || 2 x Intel Silver 4216 Cascade Lake @ 2.1GHz || 1 x SSD 480G || 4 x NVIDIA V100 Volta (mémoire HBM2 32G)<br />
|-<br />
| 640 || 48 || 187G ou 192000M || 2 x Intel Platinum 8160F Skylake @ 2.1GHz || 2 x SSD 480G || -<br />
|-<br />
| 768 || 48 || 187G ou 192000M || 2 x Intel Platinum 8260 Cascade Lake @ 2.4GHz || 2 x SSD 480G || -<br />
|}<br />
<br />
Remarquez que la quantité de mémoire disponible est moindre que la valeur arrondie suggérée par la configuration matérielle. Par exemple, les nœuds de type <i>base 128G</i> ont effectivement 128Gio de mémoire vive, mais une certaine quantité est utilisée en permanence par le noyau (<i>kernel</i>) et le système d'exploitation. Pour éviter la perte de temps encourue par le <i>swapping</i> ou le <i>paging</i>, l'ordonnanceur n'allouera jamais une tâche dont les exigences dépassent la quantité de mémoire disponible indiquée dans le tableau ci-dessus.<br />
<br />
Tous les nœuds ont de l'espace de stockage local temporaire. Les nœuds de calcul (à l'exception des nœuds GPU) ont deux disques SSD de 480Go pour une capacité totale de 960Go. Les nœuds GPU ont un disque SSD de 800Go ou de 480Go. Utilisez le stockage local sur le nœud par le biais du répertoire créé pour la tâche par l'ordonnanceur. Voir [[Using node-local storage/fr|Stockage local sur les nœuds de calcul]].<br />
<br />
==Sélectionner un type de nœud==<br />
Un certain nombre de nœuds de 48 cœurs sont réservés pour les tâches qui nécessitent des nœuds entiers. Aucun nœud de 32 cœurs n'est réservé pour les calculs avec des nœuds entiers. <b>Les tâches qui nécessitent moins de 48 cœurs par nœud pourraient donc avoir à partager des nœuds avec d'autres tâches</b>.<br />
<br><br />
La plupart des applications peuvent être exécutées sur les nœuds Broadwell, Skylake ou Cascade Lake et la différence en performance ne devrait pas être significative en comparaison des temps d'attente. Nous vous recommandons de ne pas spécifier le type de nœud pour vos tâches. Par contre, s'il est nécessaire de demander un type particulier, utilisez <code>--constraint=cascade</code>, <code>--constraint=skylake</code> ou <code>--constraint=broadwell</code>. Si vous avez besoin d'un nœud AVX512, utilisez <code>--constraint=[skylake|cascade]</code>.<br />
<br />
= Modification à la politique de soumission et exécution de tâches =<br />
<br />
Depuis le <b>17 avril 2019</b>, les tâches ne peuvent plus être exécutées dans le système de fichiers <code>/home</code>. Cette modification a pour but de diminuer la charge et d'améliorer le temps de réponse en mode interactif dans <code>/home</code>. Si le message <code>Submitting jobs from directories residing in /home is not permitted</code> s'affiche, transférez les fichiers vers votre répertoire <code>/project</code> ou <code>/scratch</code> et soumettez la tâche à partir du nouvel emplacement.<br />
<br />
==Performance==<br />
La performance théorique maximale en double précision est de 6547 téraflops pour les CPU auxquels s'ajoutent 7434 téraflops pour les GPU, pour un total de près de 14 pétaflops.<br />
<br />
La topologie réseau est une composition d'îlots avec un facteur de blocage de 2:1 entre chacun. La plupart des îlots ont 32 nœuds entièrement reliés par une interconnexion (<i>Omni-Path fabric</i>) non bloquante.<br />
<br><br />
La plupart des îlots ont 32 nœuds&nbsp;:<br />
* 18 îlots de 32 nœuds Broadwell chacun avec 32 cœurs, soit 1024 cœurs par îlot;<br />
* 44 îlots de 32 nœuds Skylake ou Cascade Lake chacun avec 48 cœurs, soit 1536 cœurs par îlot;<br />
* 4 îlots avec 32 nœuds GPU P100;<br />
* 6 îlots avec 32 nœuds GPU V100;<br />
* 2 îlots chacun avec 24 nœuds Broadwell de type <i>large memory</i>.<br />
<br />
<noinclude><br />
</noinclude></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Cedar/23/fr&diff=149116Translations:Cedar/23/fr2024-01-16T20:48:09Z<p>Mboisson: </p>
<hr />
<div>{| class="wikitable"<br />
|-<br />
| Disponibilité : depuis le 30 juin 2017, dans le cadre du concours d'allocation des ressources pour 2017<br />
|-<br />
| Nœud frontal (<i>login node</i>) : <b>cedar.alliancecan.ca</b><br />
|-<br />
| Point de chute Globus : <b>computecanada#cedar-globus</b><br />
|-<br />
| État de la grappe : <b>https://status.alliancecan.ca/</b><br />
|}</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Cedar&diff=149110Cedar2024-01-16T20:46:59Z<p>Mboisson: </p>
<hr />
<div><noinclude><languages /><br />
<br />
<translate><br />
<!--T:23--><br />
</noinclude><br />
{| class="wikitable"<br />
|-<br />
| Availability: Compute RAC2017 allocations started June 30, 2017<br />
|-<br />
| Login node: <b>cedar.alliancecan.ca</b><br />
|-<br />
| Globus endpoint: <b>computecanada#cedar-globus</b><br />
|-<br />
| System Status Page: <b>https://status.alliancecan.ca/</b><br />
|}<br />
<br />
<!--T:2--><br />
Cedar is a heterogeneous cluster suitable for a variety of workloads; it is located at Simon Fraser University. It is named for the [https://en.wikipedia.org/wiki/Thuja_plicata Western Red Cedar], B.C.’s official tree, which is of great spiritual significance to the region's First Nations people. <br />
<br/><br />
Cedar is sold and supported by Scalar Decisions, Inc. The node manufacturer is Dell, the high performance temporary storage /scratch filesystem is from DDN, and the interconnect is from Intel. It is entirely liquid-cooled, using rear-door heat exchangers. <br />
<br/><br />
<br/><br />
NOTE: Globus version 4 endpoints are no longer supported. The endpoint <b>computecanada#cedar-dtn</b> has been retired. Please use version 5 endpoint <b>computecanada#cedar-globus</b>.<br />
<br />
<!--T:25--><br />
[[Getting started|Getting started with Cedar]]<br><br />
[[Running_jobs|How to run jobs]]<br><br />
[[Transferring_data|Transferring data]]<br><br />
<br />
=Storage= <!--T:4--><br />
<br />
<!--T:5--><br />
{| class="wikitable sortable"<br />
|-<br />
| <b>Home space</b><br /> 526TB total volume||<br />
* Location of /home directories.<br />
* Each /home directory has a small fixed [[Storage and file management#Filesystem_quotas_and_policies|quota]].<br />
* Not allocated via [https://alliancecan.ca/en/services/advanced-research-computing/accessing-resources/rapid-access-service RAS] or [https://alliancecan.ca/en/services/advanced-research-computing/accessing-resources/resource-allocation-competition RAC]. Larger requests go to the /project space.<br />
* Has daily backup<br />
|-<br />
| <b>Scratch space</b><br /> 5.4PB total volume<br />Parallel high-performance filesystem ||<br />
* For active or temporary (scratch) storage.<br />
* Not allocated.<br />
* Large fixed [[Storage and file management#Filesystem_quotas_and_policies|quota]] per user.<br />
* Inactive data will be [[Scratch purging policy|purged]].<br />
|-<br />
|<b>Project space</b><br />23PB total volume<br />External persistent storage<br />
||<br />
* Not designed for parallel I/O workloads. Use /scratch space instead.<br />
* Large adjustable [[Storage and file management#Filesystem_quotas_and_policies|quota]] per project.<br />
* Has daily backup.<br />
|}<br />
<br />
<!--T:18--><br />
The /scratch storage space is a Lustre filesystem based on DDN model ES14K technology. It includes 640 8TB NL-SAS disk drives, and dual redundant metadata controllers with SSD-based storage.<br />
<br />
=High-performance interconnect= <!--T:19--><br />
<br />
<!--T:20--><br />
<i>Intel OmniPath (version 1) interconnect (100Gbit/s bandwidth).</i><br />
<br />
<!--T:21--><br />
A low-latency high-performance fabric connecting all nodes and temporary storage.<br />
<br />
<!--T:22--><br />
By design, Cedar supports multiple simultaneous parallel jobs of up to 1024 Broadwell cores (32 nodes) or 1536 Skylake cores (32 nodes) or 1536 Cascade Lake cores (32 nodes) in a fully non-blocking manner. For larger jobs the interconnect has a 2:1 blocking factor, i.e., even for jobs running on several thousand cores, Cedar provides a high-performance interconnect.<br />
<br />
=Node characteristics= <!--T:6--><br />
<br />
<!--T:28--><br />
Cedar has 100,400 CPU cores for computation, and 1352 GPU devices. Turbo Boost is deactivated for all Cedar nodes.<br />
<br />
<!--T:7--><br />
{| class="wikitable sortable"<br />
! nodes !! cores !! available memory !! CPU !! storage !! GPU <br />
|-<br />
| 576 || 32 || 125G or 128000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 96 || 32 || 250G or 257000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 24 || 32 || 502G or 515000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 24 || 32 || 1510G or 1547000M || 2 x Intel E5-2683 v4 Broadwell @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 4 || 32 || 3022G or 3095000M || 4 x Intel E7-4809 v4 Broadwell @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 114 || 24 || 125G or 128000M || 2 x Intel E5-2650 v4 Broadwell @ 2.2GHz || 1 x 800G SSD || 4 x NVIDIA P100 Pascal (12G HBM2 memory)<br />
|-<br />
| 32 || 24 || 250G or 257000M || 2 x Intel E5-2650 v4 Broadwell @ 2.2GHz || 1 x 800G SSD || 4 x NVIDIA P100 Pascal (16G HBM2 memory)<br />
|-<br />
| 192 || 32 || 187G or 192000M || 2 x Intel Silver 4216 Cascade Lake @ 2.1GHz || 1 x 480G SSD || 4 x NVIDIA V100 Volta (32G HBM2 memory)<br />
|-<br />
| 640 || 48 || 187G or 192000M || 2 x Intel Platinum 8160F Skylake @ 2.1GHz || 2 x 480G SSD || -<br />
|-<br />
| 768 || 48 || 187G or 192000M || 2 x Intel Platinum 8260 Cascade Lake @ 2.4GHz || 2 x 480G SSD || -<br />
|}<br />
<br />
<!--T:29--><br />
Note that the amount of available memory is fewer than the <i>round number</i> suggested by the hardware configuration. For instance, <i>base</i> nodes do have 128 GiB of RAM, but some of it is permanently occupied by the kernel and OS. To avoid wasting time by swapping/paging, the scheduler will never allocate jobs whose memory requirements exceed the amount of <i>available</i> memory shown above.<br />
<br />
<!--T:10--><br />
All nodes have local (on-node) temporary storage. Compute nodes (except GPU nodes) have two 480GB SSD drives, for a total raw capacity of 960GB. GPU nodes have either an 800GB or a 480GB SSD drive. Use node-local storage through the job-specific directory created by the scheduler, <code>$SLURM_TMPDIR</code>. See [[Using node-local storage]].<br />
<br />
== Choosing a node type == <!--T:27--><br />
A number of 48-core nodes are reserved for jobs that require whole nodes. There are no 32-core nodes set aside for whole node processing. <b>Jobs that request less than 48 cores per node can end up sharing nodes with other jobs.</b><br><br />
Most applications will run on either Broadwell or Skylake or Cascade Lake nodes, and performance differences are expected to be small compared to job waiting times. Therefore we recommend that you do not select a specific node type for your jobs. If it is necessary, use <code>--constraint=cascade</code>, <code>--constraint=skylake</code> or <code>--constraint=broadwell</code>. If the requirement is for any AVX512 node, use <code>--constraint=[skylake|cascade]</code>.<br />
<br />
= Submitting and running jobs policy = <!--T:30--><br />
<br />
<!--T:31--><br />
As of <b>April 17, 2019</b>, jobs can no longer run in the <code>/home</code> filesystem. The policy was put in place to reduce the load on this filesystem and improve the responsiveness for interactive work. If you get the message <code>Submitting jobs from directories residing in /home is not permitted</code>, transfer the files either to your <code>/project</code> or <code>/scratch</code> directory and submit the job from there.<br />
<br />
= Performance = <!--T:17--><br />
Theoretical peak double precision performance of Cedar is 6547 teraflops for CPUs, plus 7434 for GPUs, yielding almost 14 petaflops of theoretical peak double precision performance.<br />
<br />
<!--T:32--><br />
Cedar's network topology is made up of <i>islands</i> with a 2:1 blocking factor between islands. Within an island the interconnect (Omni-Path fabric) is fully non-blocking.<br />
<br><br />
Most islands contain 32 nodes:<br />
* 18 islands with 32 Broadwell nodes, each with 32 cores, i.e., 1024 cores per island;<br />
* 44 islands with 32 Skylake or Cascade Lake nodes, each with 48 cores, i.e., 1536 cores per island;<br />
* 4 islands with 32 P100 GPU nodes;<br />
* 6 islands with 32 V100 GPU nodes;<br />
* 2 islands each with 24 large memory Broadwell nodes.<br />
<br />
<!--T:16--><br />
<noinclude><br />
</translate><br />
</noinclude></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Automation_in_the_context_of_multifactor_authentication&diff=149048Automation in the context of multifactor authentication2024-01-15T14:29:17Z<p>Mboisson: </p>
<hr />
<div>{{Draft}}<br />
Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform. <br />
<br />
= Increased security restrictions =<br />
== Available only by request ==<br />
Users who need to make use of automated workflows for their research must first contact our [[Technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.<br />
<br />
== Available only through restricted SSH keys ==<br />
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <tt>.ssh/authorized_keys</tt> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. <br />
<br />
=== <tt>restrict</tt> constraint ===<br />
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workload. This constraint is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used for this. <br />
<br />
=== <tt>from="pattern-list"</tt> constraint ===<br />
The <tt>from="pattern-list"</tt> constraint specifies that this key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The pattern list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <tt>192.168.*.*</tt> would not be accepted, but <tt>192.168.1.*</tt> would be accepted. <br />
<br />
=== <tt>command="COMMAND"</tt> constraint ===<br />
The <tt>command="COMMAND"</tt> constraint forces the command <tt>COMMAND</tt> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. <br />
<br />
== Convenience wrapper scripts to use for <tt>command=</tt> ==<br />
<tt>command</tt> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based what command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository].<br />
<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</tt> will allow only file transfers, such as <tt>scp</tt>, <tt>sftp</tt> or <tt>rsync</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</tt> will allow commands to archive files, such as <tt>gzip</tt>, <tt>tar</tt> or <tt>dar</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</tt> will allow commands to manipulate files, such as <tt>mv</tt>, <tt>cp</tt> or <tt>rm</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</tt> will allow the <tt>git</tt> command.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</tt> will allow some Slurm commands, such as <tt>squeue</tt>, <tt>sbatch</tt>.<br />
* <tt>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</tt> will allow all of the above.<br />
<br />
== Examples of accepted SSH keys ==<br />
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: <br />
For example, the following key would be accepted, and could only be used for transferring files (through <tt>scp</tt>, <tt>sftp</tt> or <tt>rsync</tt> for example): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
while this one would only allow Slurm commands (squeue, scancel, sbatch, scontrol, sq): <br />
<pre><br />
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw<br />
</pre><br />
<br />
= Using the right key =<br />
If you have multiple keys on your computer, you need to be careful to use the correct key. This is typically done by passing parameters to the command that you are using. Below are a few examples. <br />
<br />
With <tt>ssh</tt> or <tt>scp</tt>:<br />
{{Command|ssh -i .ssh/private_key_to_use ...}}<br />
{{Command|scp -i .ssh/private_key_to_use ...}}<br />
<br />
With <tt>rsync</tt>: <br />
{{Command|rsync -e "ssh -i .ssh/private_key_to_use" ...}}</div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=148025Multifactor authentication2023-12-04T14:19:17Z<p>Mboisson: Marked this version for translation</p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey 5 == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are [https://help.duo.com/s/article/2166?language=en_US not compatible]. We recommend using the YubiKey 5 Series.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== I have an Android phone which is older than Android 9. I do not find the Duo Mobile application. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website. See [https://help.duo.com/s/article/2211?language=en_US this page] for more details. <br />
<br />
== I want to disable multifactor authentication, how do I do it ? == <!--T:51--><br />
Multifactor authentication will become mandatory in the near future. Therefore, users can not disable it. Exceptions can be granted only for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client that you are using. Our [[Multifactor_authentication#Recorded_webinars|Recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#To use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
Not at this moment. We are considering options to implement for automation, but we do not have a solution yet. Please do not enroll into MFA at this time if you have this need - and please contact [[Technical support]] to explain your requirements.<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboissonhttps://docs.alliancecan.ca/mediawiki/index.php?title=Multifactor_authentication&diff=148024Multifactor authentication2023-12-04T14:19:09Z<p>Mboisson: </p>
<hr />
<div><languages /><br />
<br />
<translate><br />
<br />
<!--T:1--><br />
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is configured to use this feature, you will need to enter your username and password as usual, and then perform a second action (the <i>second factor</i>) to access most of our services. <br><br />
<br />
<!--T:21--><br />
You can choose any of these factors for this second authentication step:<br />
*Approve a notification on a smart device through the Duo Mobile application.<br />
*Enter a code generated on demand.<br />
*Push a button on a hardware key (YubiKey).<br />
<br />
<!--T:22--><br />
This feature will be gradually deployed and will not be immediately available for all of our services.<br />
<br />
= Recorded webinars = <!--T:50--><br />
Two webinars were presented in October 2023. Their recordings are available here: <br />
* [https://www.youtube.com/watch?v=ciycOUbchl8&ab_channel=TheAlliance%7CL%E2%80%99Alliance Authentification multifacteur pour la communauté de recherche] (French)<br />
* [https://www.youtube.com/watch?v=qNsUsZ73HP0&ab_channel=TheAlliance%7CL%E2%80%99Alliance Multifactor authentication for researchers] (English)<br />
<br />
= Registering factors = <!--T:2--><br />
== Registering multiple factors ==<br />
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.<br />
<br />
== Use a smartphone or tablet == <!--T:3--><br />
<br />
<!--T:46--><br />
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.<br />
#Go to the [https://ccdb.alliancecan.ca CCDB], log in to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.<br />
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.<br />
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.<br />
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.<br />
#Tap <i>Use a QR code</i>.<br />
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b><br />
<gallery widths=300px heights=300px><br />
File:Duo-mobile-app-icon.png|Step 1<br />
File:Duo-mobile-option.png|Step 3<br />
File:Naming-duo-mobile-device.png|Step 4<br />
File:Duo-mobile-add-account.png|Step 5<br />
File:Duo-mobile-scan-qr-code.png|Step 6<br />
File:Scanning-CCDB-QR-code.jpg|Step 7<br />
</gallery><br />
<br />
== Use a YubiKey 5 == <!--T:4--><br />
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.<br />
<br />
<!--T:45--><br />
<b>Note that some YubiKey models are [https://help.duo.com/s/article/2166?language=en_US not compatible]. We recommend using the YubiKey 5 Series.</b><br />
<br />
<!--T:23--><br />
A YubiKey 5 is the size of a small USB stick and costs between $50 and $100. Different models can fit in USB-A, USB-C, or Lightning ports, and some also support near-field communication (NFC) for use with a phone or tablet.<br />
<br />
<!--T:5--><br />
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.<br />
<br />
<!--T:6--><br />
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.<br />
<br />
=== Configuring your YubiKey for Yubico OTP === <!--T:7--><br />
<br />
<!--T:8--><br />
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website].<br />
# Insert your YubiKey and launch the YubiKey Manager software.<br />
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>. (Images below illustrate this and the next few steps.)<br />
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1. <br />
# Select <i>Yubico OTP</i>.<br />
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b><br />
# <b>IMPORTANT: Make sure you clicked on "Finish" in the previous step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<gallery widths=300px heights=300px><br />
File:Yubico Manager OTP.png|Step 3<br />
File:Yubico Manager OTP configuration.png|Step 4<br />
File:Select Yubico OTP.png|Step 5<br />
File:Generate Yubikey IDs.png|Step 6, Step 7<br />
CCDB Yubikeys.png|Step 8<br />
</gallery><br />
<br />
= Using your second factor = <!--T:9--><br />
== When connecting via SSH == <br />
If your account has multifactor authentication enabled, when you connect via SSH to a cluster which supports MFA, you will be prompted to use your second factor after you first use either your password or your [[SSH Keys|SSH key]]. This prompt will look like this:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:10--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:11--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:12--><br />
Passcode or option (1-1):}}<br />
At this point, you can select which phone or tablet you want Duo to send a notification to. If you have multiple devices enrolled, you will be shown a list. You will then get a notification on your device, which you accept to complete the authentication.<br />
<br />
<!--T:13--><br />
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:<br />
{{Command|ssh cluster.computecanada.ca<br />
|result= Duo two-factor login for name<br />
<br />
<!--T:14--><br />
Enter a passcode or select one of the following options:<br />
<br />
<!--T:15--><br />
1. Duo Push to My phone (iOS)<br />
<br />
<!--T:16--><br />
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki<br />
Success. Logging you in...}}<br />
<br />
=== Configuring your SSH client to only ask every so often === <!--T:17--><br />
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:<br />
<br />
<!--T:24--><br />
<pre><br />
Host HOSTNAME<br />
ControlPath ~/.ssh/cm-%r@%h:%p<br />
ControlMaster auto<br />
ControlPersist 10m<br />
</pre><br />
where you would replace <code>HOSTNAME</code> with the host name of the server for which you want this configuration.<br />
<br />
<!--T:41--><br />
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.<br />
<br />
== When authenticating to our account portal == <!--T:18--><br />
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After entering your username and password, you will see a prompt similar to this, where you click on the option you want to use. <br><br />
(Note: <i>This screen will be updated</i>.)<br />
<gallery widths=300px heights=300px><br />
File:CCDB MFA prompt.png<br />
</gallery><br />
<br />
= Configuring common SSH clients = <!--T:32--><br />
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them. <br />
<br />
== FileZilla == <!--T:33--><br />
FileZilla will ask the password and second factor each time a transfer is initiated because by default, transfers use independent connections which are closed automatically after some idle time.<br />
<br />
<!--T:34--><br />
To avoid entering the password and second factor multiple times, you can limit the number of connections to each site to “1” in “Site Manager” => “Transfer Settings tab”; note that you’ll then lose the ability to browse the server during transfers.<br />
<br />
<!--T:35--><br />
# Launch FileZilla and select “Site Manager”<br />
# From the “Site Manager”, create a new site (or edit an existing one)<br />
# On the “General” tab, specify the following:<br />
#* Protocol: “SFTP – SSH File Transfer Protocol”<br />
#* Host: [the cluster login hostname]<br />
#* Logon Type: “Interactive”<br />
#* User: [your username]<br />
# On the “Transfer Settings” tab, specify the following:<br />
#* Limit number of simultaneous connections: [checked]<br />
#* Maximum number of connections: 1<br />
# Select “OK” to save the connection<br />
# Test the connection<br />
<br />
== MobaXTerm == <!--T:36--><br />
Install version 23.1 or later.<br />
<br />
<!--T:43--><br />
When connecting to a remote server, MobaXterm establishes two connections by default:<br />
the first for the terminal and the second for the remote file browser.<br />
By default, the file browser uses the <i>SFTP protocol</i>,<br />
which causes a mandatory second prompt for your second factor of authentication.<br />
To avoid that extra step, you can set the <i>SSH-browser type</i> to either<br />
<i>SCP (enhanced speed)</i> or <i>SCP (normal speed)</i> in the<br />
<i>Advanced SSH settings</i> tab of the <i>SSH</i> session editor:<br />
<br />
</translate><br />
[[File:MobaXterm SSH-browser type.png|400px|MobaXterm - SSH-browser type]]<br />
<translate><br />
<br />
== PuTTY == <!--T:37--><br />
Install version 0.72 or later. <br />
<br />
== WinSCP == <!--T:38--><br />
Ensure that you are using [[SSH Keys]]. <br />
<br />
== PyCharm == <!--T:39--><br />
Ensure that you are using [[SSH Keys]].<br />
<br />
== Cyberduck == <!--T:47--><br />
By default, Cyberduck opens a new connection for every file transfer, prompting you for your second factor each time. To change this, go in the application's preferences, under <i>Transfers</i>, in the <i>General</i> section, use the drop-down menu beside the <i>Transfer Files</i> item and select <i>Use browser connection</i>.<br />
<br />
<!--T:48--><br />
Then, ensure that the box beside <i>Segmented downloads with multiple connections per file</i> is not checked. It should look like the picture below.<br />
<br />
<!--T:49--><br />
[[File:CyberDuck configuration for multifactor authentication.png|400px|Cyberduck configuration for multifactor authentication]]<br />
<br />
= Frequently asked questions = <!--T:19--><br />
== I have an Android phone which is older than Android 9. I do not find the Duo Mobile application. Can I still use Duo ? ==<br />
Yes. However, you have to download the application from the Duo website. See [https://help.duo.com/s/article/2211?language=en_US this page] for more details. <br />
<br />
== I want to disable multifactor authentication, how do I do it ? ==<br />
Multifactor authentication will become mandatory in the near future. Therefore, users can not disable it. Exceptions can be granted only for automation purposes. If you find that multifactor authentication is annoying, we recommend applying one of the configurations listed above, depending on the SSH client that you are using. Our [[Multifactor_authentication#Recorded_webinars|Recorded webinars]] also contain many tips on how to make MFA less burdensome to use. <br />
<br />
== I do not have a smartphone or tablet, or they are too old. Can I still use multifactor authentication? == <!--T:25--><br />
Yes. In this case, you need [[#To use a YubiKey|to use a YubiKey]].<br />
<br />
== I have lost my second factor device. What can I do? == <!--T:20--><br />
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.alliancecan.ca/multi_factor_authentications account portal], and then delete your lost device from the list. Then, register a new device. <br />
* If you do not have backup codes or have lost all of your devices, copy the following list providing answers to as many questions as you can. Email this information to support@tech.alliancecan.ca. <br />
<br />
<!--T:30--><br />
What is the primary email address registered in your account?<br />
For how long have you had an active account with us?<br />
What is your research area?<br />
What is your IP address? (to see your IP address, point your browser to this [https://whatismyipaddress.com/ link]).<br />
Who is the principal investigator sponsoring your account?<br />
Who are your group members?<br />
Who can we contact to validate your request?<br />
Which clusters do you use the most?<br />
Which modules do you load most often?<br />
When did you run your last job?<br />
Provide a few of your latest job IDs.<br />
Provide ticket topics and ticket IDs from your recent requests for technical support.<br />
<br />
== Which SSH clients can be used when multifactor authentication is configured? == <!--T:29--><br />
* Most clients that use a command-line interface, such as on Linux and Mac OS.<br />
* MobaXTerm (see instructions above)<br />
* PuTTY (see instructions above)<br />
* Termius on iOS<br />
* FileZilla (see instructions above)<br />
* JuiceSSH on Android<br />
* WinSCP (see instructions above)<br />
* PyCharm (see instructions above)<br />
* VSCode<br />
* CyberDuck (see instructions above)<br />
<br />
== I need to have automated connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31--><br />
Not at this moment. We are considering options to implement for automation, but we do not have a solution yet. Please do not enroll into MFA at this time if you have this need - and please contact [[Technical support]] to explain your requirements.<br />
<br />
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44--><br />
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.<br />
<br />
= Advanced usage = <!--T:27--><br />
== Configuring your YubiKey for Yubico OTP using the Command Line (<code>ykman</code>)==<br />
# Install the command line YubiKey Manager software (<code>ykman</code>) following instructions for your OS from Yubico's [https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#download-ykman ykman guide].<br />
# Insert your YubiKey and read key information with the command <code>ykman info</code>.<br />
# Read OTP information with the command <code>ykman otp info</code>.<br />
# Select the slot you wish to program and use the command <code>ykman otp yubiotp</code> to program it.<br />
# <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields. You will need the data for the next step.</b><br />
# Log into the CCDB to register your YubiKey in the <i>[https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management page]</i>.<br />
<br />
<!--T:28--><br />
:<source lang="console"><br />
[name@yourLaptop]$ ykman otp yubiotp -uGgP vvcccctffclk 2<br />
Using a randomly generated private ID: bc3dd98eaa12<br />
Using a randomly generated secret key: ae012f11bc5a00d3cac00f1d57aa0b12<br />
Upload credential to YubiCloud? [y/N]: y<br />
Upload to YubiCloud initiated successfully.<br />
Program an OTP credential in slot 2? [y/N]: y<br />
Opening upload form in browser: https://upload.yubico.com/proceed/4567ad02-c3a2-1234-a1c3-abe3f4d21c69<br />
</source><br />
<br />
</translate></div>Mboisson