Using login-mfa.eecs.berkeley.edu
The Linux remote SSH server login-mfa.eecs.berkeley.edu is available for all IRIS Standard account holders, and has SSH available from off-campus. To use it, you will need to enable both an SSH public/private keypair and a Time-based One Time Password (TOTP) (e.g. Google Authenticator) secret key.
Step 1: Set up your SSH public/private keypair
First, set up your SSH public/private keypair. You may add your SSH public key to your EECS ~/.ssh/authorized_keys
file as usual, or upload your SSH public key to LDAP. Both login.eecs.berkeley.edu and login-mfa.eecs.berkeley.edu are configured to make use of SSH public keys from LDAP.
Step 2: Create your TOTP secret key
This can be done from any EECS machine that has google-authenticator installed, and access to your home directory.
Option 1: Using login.eecs
On login.eecs, run the google-authenticator
command. This will generate a custom URL for you, as well as a QR code and a secret key string. To properly view the QR code, you may need to expand the number of visible rows/columns of your SSH session, or you can visit the custom URL in a browser. You’ll use the QR code or the secret key in Step 3. Be sure to store the emergency scratch codes safely, such as in a LastPass Secure Note.
$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
generated_QR_code_here
Your new secret key is: ZVZG5UZU4D7MY4DH
Your verification code is 269371
Your emergency scratch codes are:
70058954
97277505
99684896
56514332
82717798
Do you want me to update your "/home/username/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Option 2: Using setsecretkey.eecs
If you are off-campus, and don’t have access to the bSecure VPN or to login.eecs, you can request temporary SSH access to setsecretkey.eecs.berkeley.edu via email to help@eecs. On that machine, you can run google-authenticator
as above.
Step 3: Set up your Authenticator app
Install the Google Authenticator or FreeOTP app on your Android or iOS phone. In the mobile application, create a new entry, either scanning the QR code or entering the secret key string.
Done!
Now you can SSH to login-mfa.eecs.berkeley.edu from anywhere. Your session will be authenticated with your SSH passphrase (or SSH agent) first, and then using the verification code from your Authenticator app for multi-factor authentication.
larsrohr@R910EFVD:~$ ssh larsrohr@login-mfa.eecs.berkeley.edu
******************************************************************************
Please email help@EECS.Berkeley.EDU if you are unable to login to this
server.
******************************************************************************
Verification code: