Last modified:September 19, 2019

2-step authentication

We use 2-step verfification for improved security and data integrity.

enable 2-step

  1. Use a secure shell application on your desktop computer to enable 2-step.

    • If you have a Mac, open a terminal window application and run the following command (replace ‘username’ with your login username):

      ssh username@nx2.neuro.berkeley.edu
    • If you have windows, download a secure shell client from UC Software Central, or from PuTTY. Use the servername ‘nx2.neuro.berkeley.edu’.

  2. After successful authentication, you will be prompted to enable 2-step:

    Do you want to create your One-Time Password now? [y/n]
  3. Type ‘y’, and a barcode image will be displayed

  4. Below the barcode if your secret key and emergency scratch codes. Take a picture of this, or copy/paste it to a file on your desktop computer. This information is useful if you lose access to your mobile device (and your Neuro cluster account).

install Google Authenticator app on your mobile device

Google Authenticator works best on a mobile device, but you can also install an Authenticator plugin on your web browser. See below install Google Authenticator web browser plugin

  1. Open the Google Authenticator app, and click ‘BEGIN’

    Google Authenticator: BEGIN
  2. Click ‘Scan a barcode’. Point your phone camera at your computer display to scan the barcode. You may need to increase the window size or reduce the font size to get the image to display.

  3. After the barcode image is scanned, click ‘ADD ACCOUNT’

    Google Authenticator: ADD
  4. Make a backup of of the backup codes in case you lose :

install Google Authenticator web browser plugin

You may install Google Authentiator web browser plugin as a substitute for your mobile device, or in addition to it. I prefer the web browser plugin for convenience. But it’s also useful if you lose access to your mobile device.

Below are instructions for Google Chrome:

  1. Choose an authenticator plugin extention that is compatible with Google Authenticator. I recommend https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en

  2. Select ‘Add to Chrome’

  3. Select ‘Add Extension’

  4. In the upper right corner of your web browser, you will see a small icon for the Authenticator plugin. Click it. A new window will open.

  5. Click on the icon of the pencil, then click the plus sign.

  6. Click ‘Manual Entry’.

  7. In the ‘Account Name’ field, type anything descriptive. I use ‘neuro cluster’.

  8. In the ‘Secret’ field, copy and paste the secret key. The secret key was displayed immediately below the barcode when you enable 2-step. If you no longer have access to that screenshot, then access the file in your Neuro cluster home directory called .google_authenticator. The first line of that file is your secret key. For example, in a terminal window:

    cat ~/.google_authenticator
  9. If you have problems logging in with the plugin, make sure your computer uses network time protocol (ntp). The Authenticator plugin relies on accurate time to generate the codes.

SSH key

You may install a SSH key to bypass the Google Authenticator login.

This section is optional, and intended for folks who frequently log in from a ‘trusted’ computer (a computer with all security patches installed).

MacOSX

  1. In a Mac terminal window, type:

    ssh-keygen -t rsa -f ~/.ssh/id_rsa

    If you see a message that the id_rsa key already exists, then you can specify a different filename after the ‘-f’ option.

  2. Enter a password when prompted. It can be the same as your login password.

  3. In a Mac terminal window, run the following command to copy your SSH key to the Neuro cluster. Replace ‘<username>’ with your login username:

    cat ~/.ssh/id_rsa.pub | ssh <username>@nx2.neuro.berkeley.edu "cat >> ~/.ssh/authorized_keys"

    For example,:

    cat ~/.ssh/id_rsa.pub | ssh joe@nx2.neuro.berkeley.edu "cat >> ~/.ssh/authorized_keys"

    you will be prompted for your login password and verification code.

    If you specified a different filename in the first step, then replace ‘~/.ssh/id_rsa.pub’ with the path to your key.

  4. In a Mac terminal window, use the ‘ssh’ command to log into the Neuro cluster. Replace ‘username’ with your login username:

    ssh <username>@nx2.neuro.berkeley.edu

    For example,:

    ssh joe@nx2.neuro.berkeley.edu

    You will be prompted for your ssh key passphase. You should NOT be prompted for a 2-step verification code. If you are prompted for a verification code, then the ssh key wasn’t installed correctly.

    If you created your ssh key with a different filename, then you may need to use the ‘ssh -i </path/to/key>’ option. For example, if you created your ssh key with filename ‘-f ~/.ssh/id_neurocluster’, then run:

    ssh -i ~/.ssh/id_neurocluster <username>@nx2.neuro.berkeley.edu

Windows

If your Windows computer is ‘trusted’ (see above), then I recommend using PuTTY to install a SSH Key. Instructions are here: https://www.ssh.com/ssh/putty/windows/puttygen.

The login server name is ‘nx2.neuro.berkeley.edu’.

If the SSH Key was installed correctly, then you will not be prompted for a verification code the next time you log in via secure shell.

troubleshooting

verification code not accepted

If you are prompted repeatedly for a your verification code, then:

  1. maybe you typed your password incorrectly. Unfortunately, the server doesn’t tell you if your password is wrong. It just continues to prompt for your verification code, because both the password and the verification code need to be correct to login. So at the next password login prompt, make sure your password is correct, and then wait for a new verification code to appear in your 2-step app before typing it in.
  2. Try a different 2-step app. Google Authenticator may not work for all phones/devices. There are alternative apps, including ‘FreeOTP’ or ‘Authy’. I use FreeOTP on my Google Pixel 2, because I couldn’t scan the Google Autenticator barcode (ironic that 2 Google produces are incompatible?). Hopefully these bugs are rare. I’d be grateful for your feedback, so please email support@cirl.berkeley.edu if you prefer to use a different app.

can I start over?

If you didn’t see the barcode, or you just want to start over, then you can remove the .google_authenticator file from your home directory on the cluster. To do this, log in via the NoMachine client and run

rm ~/.google_authenticator

... or email me at support@cirl.berkeley.edu.