Header Search Widget
IRIS

Instructional & Research Information Systems

Using login-mfa.eecs.berkeley.edu

The Linux remote SSH server login-mfa.eecs.berkeley.edu is available for all IRIS Standard account holders, and has SSH available from off-campus. To use it, you will need to enable both an SSH public/private keypair and a Time-based One Time Password (TOTP) (e.g. Google Authenticator) secret key.

Step 1: Set up your SSH public/private keypair

First, set up your SSH public/private keypair. You may add your SSH public key to your EECS ~/.ssh/authorized_keys file as usual, or upload your SSH public key to LDAP. Both login.eecs.berkeley.edu and login-mfa.eecs.berkeley.edu are configured to make use of SSH public keys from LDAP.

Step 2: Create your TOTP secret key

This can be done from any EECS machine that has google-authenticator installed, and access to your home directory.

Option 1: Using login.eecs

On login.eecs, run the google-authenticator command. This will generate a custom URL for you, as well as a QR code and a secret key string. To properly view the QR code, you may need to expand the number of visible rows/columns of your SSH session, or you can visit the custom URL in a browser. You’ll use the QR code or the secret key in Step 3. Be sure to store the emergency scratch codes safely, such as in a LastPass Secure Note.

$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
generated_QR_code_here
Your new secret key is: ZVZG5UZU4D7MY4DH
Your verification code is 269371
Your emergency scratch codes are:
  70058954
  97277505
  99684896
  56514332
  82717798

Do you want me to update your "/home/username/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Option 2: Using setsecretkey.eecs

If you are off-campus, and don’t have access to the bSecure VPN or to login.eecs, you can request temporary SSH access to setsecretkey.eecs.berkeley.edu via email to help@eecs. On that machine, you can run google-authenticator as above.

Step 3: Set up your Authenticator app

Install the Google Authenticator or FreeOTP app on your Android or iOS phone. In the mobile application, create a new entry, either scanning the QR code or entering the secret key string.

Done!

Now you can SSH to login-mfa.eecs.berkeley.edu from anywhere. Your session will be authenticated with your SSH passphrase (or SSH agent) first, and then using the verification code from your Authenticator app for multi-factor authentication.

larsrohr@R910EFVD:~$ ssh larsrohr@login-mfa.eecs.berkeley.edu
******************************************************************************
Please email help@EECS.Berkeley.EDU if you are unable to login to this
server.
******************************************************************************

Verification code: