2-step authentication¶
For improved security and data integrity, we use a form of 2-step authentication called time-based one-time password (TOTP).
enable 2-step¶
If you use the UC Berkeley wireless network, choose the
eduroamnetwork; do not useCalVisitor, because it blocks SSH traffic (port 22).Use a secure shell application on your desktop computer to enable 2-step.
If you have a Mac, open a terminal window application and run the following command (replace
usernamewith your login username):ssh username@axon.neuro.berkeley.edu
If you have Windows, download a secure shell client from UC Software Central, or from PuTTY. Use the servername
axon.neuro.berkeley.edu.
If you see a message like…:
The authenticity of host 'axon.neuro.berkeley.edu (169.229.248.247)' can't be established. Are you sure you want to continue connecting (yes/no)?
then type
yesand Enter. You will see the message:Warning: Permanently added 'axon.neuro.berkeley.edu' (ECDSA) to the list of known hosts.
After successful authentication, you will be prompted to enable 2-step:
Do you want to create your One-Time Password now? [y/n]
Type
y, and a barcode image will be displayed.
Install an app for TOTP 2-step authentication¶
Duo Mobile or the Google Authenticator apps.Note
After you set up TOTP 2-step authentication, you may use SSH Keys instead of TOTP 2-step for authentication. SSH keys are useful if you log into the neuro cluster frequently, and if you trust your computer is secure and up-to-date on system software. For more information, see SSH key.
Duo Mobile app¶
Install the
Duo Mobileapp if you don’t already have it installed for CalNet authentication.
Click Add Account, and click OK to let Duo Mobile access your camera, which will be used for scanning the barcode.
If you already configured an account in Duo Mobile, then press the plus sign next to the word ‘Add’ in the upper right corner of your screen.
Tap Use QR Code.
Point your smartphone’s camera at the QR barcode on your computer screen to scan the barcode. You may need to increase the window size or reduce the font size to get the image to display.
Tap Done. This will display the new account called ‘Third-Party Neuro Cluster’.
Toward the bottom of the ‘Neuro Cluster’ account, tap the word Show to display the 6-digit verification code. The verification code changes every 30 seconds.
Next time you login to the neuro cluster, you will be prompted for your password and a verification code from Duo Mobile.
Back on your the computer screen where you initiated 2-step (with the QR barcode), you may see the message:
Enter code from app (-1 to skip):
This isn’t important, and you can type
-1and Enter.A list of emergency scratch codes will be printed. Take a picture of this, or copy/paste it to a file on your desktop computer. This information is useful if you lose access to your mobile device (and your Neuro cluster account).
Google Authenticator app¶
Google Authenticator is an alternative to Duo Mobile. Similar to Duo Mobile, it generates a TOTP (time-based one-time password) for authentication.
Open the Google Authenticator app, and click BEGIN.
Click Scan a barcode. Point your smartphone’s camera at the QR barcode on your computer screen to scan the barcode. You may need to increase the window size or reduce the font size to get the image to display.
On your computer screen, you may see the message:
Enter code from app (-1 to skip):
This isn’t important, and you can type
-1and Enter.A list of emergency scratch codes will be printed to your computer screen. Take a picture of this, or copy/paste it to a file on your desktop computer. This information is useful if you lose access to your mobile device (and your Neuro cluster account).
On your mobile device, click on the button to ADD ACCOUNT.
A 6-digit code is displayed that updates every 30 seconds. This is your verification code.
Next time you login, you will be prompted for your password and your Google Authenticator verification code.
troubleshooting¶
verification code not accepted¶
If you are prompted repeatedly for your verification code, then:
You may have typed your password incorrectly. Unfortunately, the server doesn’t report if your password is wrong - it just continues to prompt for your verification code.
Wait for a new verification code to appear in your 2-step app before typing it in.
can I start over?¶
If you didn’t see the barcode, or you just want to start over, then email me at support-neuro@berkeley.edu.
2-step web browser plugin¶
You may install a web browser plugin that supports TOTP (time-based one-time password) authentication. A web browser plugin can be a substitute for your mobile device, or in addition to it.
Below are instructions for Google Chrome:
Choose an authenticator plugin extension that is compatible with Google Authenticator. I recommend https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
Select Add to Chrome.
Select Add Extension.
In the upper right corner of your web browser, you will see a small icon for the Authenticator plugin. Click it. A new window will open.
Click on the icon of the pencil, then click the plus sign.
Click Manual Entry.
In the ‘Account Name’ field, type anything descriptive. I use ‘neuro cluster’.
In the ‘Secret’ field, copy and paste the secret key. The secret key was displayed immediately below the barcode when you enable 2-step. If you no longer have access to that screenshot, then access the file in your Neuro cluster home directory called
.google_authenticator. The first line of that file is your secret key. For example, in a terminal window:cat ~/.google_authenticator
If you have problems logging in with the plugin, make sure your computer uses Network Time Protocol (NTP). The Authenticator plugin relies on accurate time to generate the codes.
SSH key¶
You may install an SSH key to bypass the TOTP 2-step authentication. It’s useful if you log in frequently from the same, secure computer. To improve your computer security, enable automatic updates of (security) packages.
MacOSX¶
In a Mac terminal window, type:
ssh-keygen -t rsa -f ~/.ssh/id_rsa
If you see a message that the
id_rsakey already exists, then you can specify a different filename after the-foption.Enter a password when prompted. It can be the same as your login password.
In a Mac terminal window, run the following command to copy your SSH key to the Neuro cluster. Replace
<username>with your login username:cat ~/.ssh/id_rsa.pub
Copy and paste the key into
$HOME/.ssh/authorized_keyson the neuro cluster, where$HOMEis your home directory.If you want help, please don’t hesitate to email me: support-neuro@berkeley.edu.
In a Mac terminal window, use the
sshcommand to log into the Neuro cluster. Replaceusernamewith your login username:ssh <username>@axon.neuro.berkeley.edu
You will be prompted for your SSH key passphrase. You should NOT be prompted for a 2-step verification code. If you are prompted for a verification code, then the SSH key wasn’t installed correctly.
Windows¶
Starting in Windows 10, you can use OpenSSH in Windows.
Instructions to install OpenSSH are here: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
And instructions to use ssh-keygen are here:
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
You may copy and paste the key into the $HOME/.ssh/authorized_keys file on the neuro cluster (where $HOME is your home directory).
If you want help, please don’t hesitate to email me: support-neuro@berkeley.edu.
You may use axon.neuro.berkeley.edu or soma.neuro.berkeley.edu to login.
If the SSH Key was installed correctly, then you will not be prompted for a verification code the next time you log in via secure shell.