Hello everyone,
I recently gained access to a cluster that requires two-factor authentication for login (it uses Google Authenticator). Is it possible to configure AiiDA on my computer to access this cluster nonetheless?
Thank you!
Hey there, it depends a bit on how the 2FA works. If you can authorize and then use normal ssh to connect to the machine it is in principle possible. In this case, you would simply authenticate and then start the daemon and the daemon will be able to connect for as long as the authentication token is valid. Once it expires, connections will start to fail and the daemon will pause calculations running on that computer (pause them on your computer, not actually on the remote). You can reauthenticate and restart the daemon run verdi process play --all to start playing all calculations again.
I see, thanks for the explanation Sebastiaan!
Hello, I just read this one, and usually it applies. Currently though, I have a cluster where it need to authenticate at each connection. Is there currently a solution?
Can you give more details on how exactly the authentication works? Is it via a OTP code, you need to use fingerprints, …?
If you open one connection and then tunnel through it the next ones, would this circumvent the problem? Unfortunately without more details it’s very hard to provide suggestions - and in most of these cases my first reaction is: what does the computer center suggests, if you have a script or WF engine (could be any script, not necessarily AiiDA) that needs to connect unattended to the supercomputer? Almost always there are technical solutions, but they might be circumventing the policies of the supercomputer
Thanks @giovannipizzi for the help!
Currently I am at Boston trying to figure out how to configure the connection to their local cluster: > User Quick Start Guide – FASRC DOCS
So the access is via both PWD + OTP code, which can be generated locally via a java applet. It’s not super clear how to open a single connection and then use it with for other connections. Is the idea here to e.g. use one command like ssh ..., keep it running, and the other ssh command would then work?
Right now I can access by doing: ssh username@hostname, and plugging PWD + OTP code. Even by copying and ssh id file, this doesn’t change the behaviour of the access (i.e., I still have to insert PWD+OTF).
Ok thanks!
It’s not super clear how to open a single connection and then use it with for other connections
Did you try to use the ControlMaster options in the SSH config?
E.g. adding for your computer
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p
in the relevant section of the ~/.ssh/config file.
Then you open one connection in a terminal (with pwd + 2FA), then in a second terminal SSH again and check if this still asks for the PWD.
It might be that it’s blocked by the server. In any case, this might not help with AiiDA because Paramiko does not really support multiplexing… but at least we understand what are the options.
Moreover:
Can you check if what I had described here might work? SSH connection with 2FA (two-factor authentication) using Google Authenticator · Issue #5020 · aiidateam/aiida-core · GitHub
It would be interesting to know if at least in principle their approach to SSH is compatible with the technical solution above.
IMPORTANT NOTE, though: as I stated, you need to check if the center is happy with you doing this - if they are not, you are circumventing their security measures and might ban you (or worse, depending on what they wrote in their regulations)