My experience with CERN's SSH 2FA

So, as if juggling research and coffee consumption wasn’t enough, CERN has decided to spice things up. They’re rolling out 2FA for SSO for all users which is great for security, of course! But here’s where it gets interesting: I volunteered to be part of a test group that’s trying out 2FA for SSH connections as well. Yep, I signed up for extra layers of login fun!

Now, don’t get me wrong, I’m all for keeping our data safe from the clutches of cyber gremlins. But entering a 2FA code every time I SSH into a server? That gets old faster than a quark decays. Especially when you’re bouncing between machines like it’s a game of computational hopscotch.

So, in true nerdy fashion, I looked for a workaround to make my life a tad easier. The solution? Of course it is obvious, SSH keys! Even with the new 2FA requirements and using lxplus.cern.ch as a proxy jump, SSH keys have been my saving grace.

Here’s how I made it happen:

  1. Generated an SSH key pair on my local machine. Good old ssh-keygen never lets me down. This can be done with the following command:

    ssh-keygen -t rsa -b 4096 -C "username@cern.ch"

  2. Added my public key to my CERN account. Now we visit our old friend ssh-copy-id. I ran the following command to copy my public key to lxplus:

    ssh-copy-id -i ~/.ssh/id_rsa.pub lxplus

    This command copies the public key to the ~/.ssh/authorized_keys file on lxplus, allowing me to SSH in without a password.

Info
I am using lxplus instead of lxplus.cern.ch because I have already updated my ~/.ssh/config file to include lxplus as a hostname and my username on local machine is the same as my username on lxplus.

  1. Updated my SSH config file (~/.ssh/config) to include lxplus as a proxy jump. It looks something like this:

    Host lxplus
    HostName lxplus.cern.ch
    User melashri
    IdentityFile ~/.ssh/id_rsa

Host lbgw
    HostName lbgw
    User melashri
    ProxyJump lxplus
    IdentityFile ~/.ssh/id_rsa

    Just swap out lbgw with whatever server you’re trying to reach. lbgw is the CERN gateway server. For me I need that to access the restricted GPU machine that Allen Developers (LHCb HLT1 Trigger framework) have access to.

  2. Gave it a whirl to make sure everything worked smoothly. And guess what? It did! No more constant 2FA prompts. Now you can log it using ssh lxplus or ssh lbgw and you are in.

Now, whenever I SSH into a server, it gracefully hops through lxplus using my SSH keys, sidestepping the extra 2FA step. It’s like having a VIP pass to the server club. If you’re also part of the 2FA SSH test group or just want to get ahead of the curve I highly recommend setting up SSH keys. Or maybe you will read that when we are already all have 2FA on SSH connections.