My experience with CERN's SSH 2FA
So, as if juggling research and coffee consumption wasn’t enough, CERN has decided to spice things up. They’re rolling out 2FA for SSO for all users which is great for security, of course! But here’s where it gets interesting: I volunteered to be part of a test group that’s trying out 2FA for SSH connections as well. Yep, I signed up for extra layers of login fun!
Now, don’t get me wrong, I’m all for keeping our data safe from the clutches of cyber gremlins. But entering a 2FA code every time I SSH into a server? That gets old faster than a quark decays. Especially when you’re bouncing between machines like it’s a game of computational hopscotch.
So, in true nerdy fashion, I looked for a workaround to make my life a tad easier. The solution? Of course it is obvious, SSH keys! Even with the new 2FA requirements and using lxplus.cern.ch
as a proxy jump, SSH keys have been my saving grace.
Here’s how I made it happen:
Generated an SSH key pair on my local machine. Good old
ssh-keygen
never lets me down. This can be done with the following command:ssh-keygen -t rsa -b 4096 -C "username@cern.ch"
Added my public key to my CERN account. Now we visit our old friend
ssh-copy-id
. I ran the following command to copy my public key tolxplus
:ssh-copy-id -i ~/.ssh/id_rsa.pub lxplus
This command copies the public key to the
~/.ssh/authorized_keys
file onlxplus
, allowing me to SSH in without a password.
Note: Iam using lxplus
instead of lxplus.cern.ch
because I have already updated my ~/.ssh/config
file to include lxplus
as a hostname and my username on local machine is the same as my username on lxplus.
Updated my SSH config file (
~/.ssh/config
) to includelxplus
as a proxy jump. It looks something like this:Host lxplus HostName lxplus.cern.ch User melashri IdentityFile ~/.ssh/id_rsa Host lbgw HostName lbgw User melashri ProxyJump lxplus IdentityFile ~/.ssh/id_rsa
Just swap out
lbgw
with whatever server you’re trying to reach.lbgw
is the CERN gateway server. For me I need that to access the restricted GPU machine that Allen Developers (LHCb HLT1 Trigger framework) have access to.Gave it a whirl to make sure everything worked smoothly. And guess what? It did! No more constant 2FA prompts. Now you can log it using
ssh lxplus
orssh lbgw
and you are in.
Now, whenever I SSH into a server, it gracefully hops through lxplus
using my SSH keys, sidestepping the extra 2FA step. It’s like having a VIP pass to the server club. If you’re also part of the 2FA SSH test group or just want to get ahead of the curve I highly recommend setting up SSH keys. Or maybe you will read that when we are already all have 2FA on SSH connections.