Last modified:June 23, 2020

2-step authentication

We use 2-step verfification for improved security and data integrity.

enable 2-step

  1. Use a secure shell application on your desktop computer to enable 2-step.

    • If you have a Mac, open a terminal window application and run the following command (replace ‘username’ with your login username):

      ssh username@nx4.neuro.berkeley.edu
    • If you have windows, download a secure shell client from UC Software Central, or from PuTTY. Use the servername ‘nx4.neuro.berkeley.edu’.

  2. You may see a message similar to the following:

    The authenticity of host 'nx4.neuro.berkeley.edu (169.229.248.247)' can't be established.
    Are you sure you want to continue connecting (yes/no)?

    Type ‘yes’ and hit return. You will see the message:

    Warning: Permanently added 'nx4.neuro.berkeley.edu' (ECDSA) to the list of known hosts.
  3. After successful authentication, you will be prompted to enable 2-step:

    Do you want to create your One-Time Password now? [y/n]
  4. Type ‘y’, and a barcode image will be displayed.

Google Authenticator app

Install a 2-step authenticator app on your mobile device. I recommend using the ‘Google Authenticator’ app available for Andoid or iPhone

If you don’t have a mobile device, see instructions to optional: Google Authenticator web browser plugin

  1. Open the Google Authenticator app, and click ‘BEGIN’

    Google Authenticator: BEGIN
  2. Click ‘Scan a barcode’. Point your phone camera at your computer display to scan the barcode. You may need to increase the window size or reduce the font size to get the image to display.

  3. On your computer screen, you may see the message:

    Enter code from app (-1 to skip):

    This isn’t important, and you can type ‘-1’ and hit return.

  4. A list of emergency scratch codes will be printed to your computer screen. Take a picture of this, or copy/paste it to a file on your desktop computer. This information is useful if you lose access to your mobile device (and your Neuro cluster account).

  5. On your mobile device, click on the button to ‘ADD ACCOUNT’

    Google Authenticator: ADD
  6. A 6-digit code is displayed that updates every 30 seconds. This is your verification code.

  7. Next time you login, you will be prompted for your password and your google authenticator ‘verification code’.

troubleshooting

verification code not accepted

If you are prompted repeatedly for a your verification code, then:

  1. you may have typed your password incorrectly. Unfortunately, the server doesn’t report if your password is wrong - it just continues to prompt for your verification code.
  2. wait for a new verification code to appear in your 2-step app before typing it in.

can I start over?

If you didn’t see the barcode, or you just want to start over, then email me at support@cirl.berkeley.edu.

optional: Google Authenticator web browser plugin

You may install Google Authentiator web browser plugin as a substitute for your mobile device, or in addition to it. I prefer the web browser plugin for convenience, but it’s also useful if you lose access to your mobile device.

Below are instructions for Google Chrome:

  1. Choose an authenticator plugin extention that is compatible with Google Authenticator. I recommend https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en

  2. Select ‘Add to Chrome’

  3. Select ‘Add Extension’

  4. In the upper right corner of your web browser, you will see a small icon for the Authenticator plugin. Click it. A new window will open.

  5. Click on the icon of the pencil, then click the plus sign.

  6. Click ‘Manual Entry’.

  7. In the ‘Account Name’ field, type anything descriptive. I use ‘neuro cluster’.

  8. In the ‘Secret’ field, copy and paste the secret key. The secret key was displayed immediately below the barcode when you enable 2-step. If you no longer have access to that screenshot, then access the file in your Neuro cluster home directory called .google_authenticator. The first line of that file is your secret key. For example, in a terminal window:

    cat ~/.google_authenticator
  9. If you have problems logging in with the plugin, make sure your computer uses network time protocol (ntp). The Authenticator plugin relies on accurate time to generate the codes.

optional: SSH key

You may install a SSH key to bypass the Google Authenticator login. It’s useful if you log in frequently from a secure computer. To improve your computer security, enable automatic updates of (security) packages.

MacOSX

  1. In a Mac terminal window, type:

    ssh-keygen -t rsa -f ~/.ssh/id_rsa

    If you see a message that the id_rsa key already exists, then you can specify a different filename after the ‘-f’ option.

  2. Enter a password when prompted. It can be the same as your login password.

  3. In a Mac terminal window, run the following command to copy your SSH key to the Neuro cluster. Replace ‘<username>’ with your login username:

    cat ~/.ssh/id_rsa.pub | ssh <username>@nx4.neuro.berkeley.edu "cat >> ~/.ssh/authorized_keys"

    For example,:

    cat ~/.ssh/id_rsa.pub | ssh joe@nx4.neuro.berkeley.edu "cat >> ~/.ssh/authorized_keys"

    you will be prompted for your login password and verification code.

    If you specified a different filename in the first step, then replace ‘~/.ssh/id_rsa.pub’ with the path to your key.

  4. In a Mac terminal window, use the ‘ssh’ command to log into the Neuro cluster. Replace ‘username’ with your login username:

    ssh <username>@nx4.neuro.berkeley.edu

    For example,:

    ssh joe@nx4.neuro.berkeley.edu

    You will be prompted for your ssh key passphase. You should NOT be prompted for a 2-step verification code. If you are prompted for a verification code, then the ssh key wasn’t installed correctly.

    If you created your ssh key with a different filename, then you may need to use the ‘ssh -i </path/to/key>’ option. For example, if you created your ssh key with filename ‘-f ~/.ssh/id_neurocluster’, then run:

    ssh -i ~/.ssh/id_neurocluster <username>@nx4.neuro.berkeley.edu
  5. To configure X2Go to use your SSH key, see X2Go configuration

Windows

If your Windows computer is ‘trusted’ (see above), then I recommend using PuTTY to install a SSH Key. Instructions are here: https://www.ssh.com/ssh/putty/windows/puttygen.

The login server name is ‘nx4.neuro.berkeley.edu’.

If the SSH Key was installed correctly, then you will not be prompted for a verification code the next time you log in via secure shell.

To configure X2Go to use your SSH key, see X2Go configuration