Have a look at the official wiki page of The Alliance: 

    Multifactor authentication

Below you find some tips from me:

Enroll & manage Multifactor Authentication

You can enroll and manage your Alliance account into multifactor authentication by logging in to the following CCDB web site:
    Multifactor Authentication Management

Follow the instructions available on the following site: 
    Multifactor authentication description

The Alliance strongly recommends that you generate bypass codes as a backup for when your registered devices are not available. You will also need a bypass code to access your account if you lose all of your second factors. To do that you just have to go onto their web page above: Multifactor Authentication Management
 and click in the button "Generate 10 codes, each valid for one use" resp. "Générer 10 codes, chacun valide pour une seule utilisation" (on the bottom left of the page).

Connecting with multifactor authentication

Once multifactor authentication is activated for you you will see the following message when connecting to one of the clusters of The Alliance:

If you are using Duo Mobile you can now either

• open the Duo Mobile app, generate a new code and type it the terminal and then press 'Enter' or
  
• type '1' and then press 'Enter'. Then you will get a message in your Duo Mobile App asking you to confirm that it is really you who wants to connect.
• enter a bypass code if the options above to not work

Configuration to authenticate only once

By default you have to authenticate yourself every time you connect to one of the clusters of The Alliance. But you can configure the computer from which you want to connect to one of the clusters of The Alliance in a way so you will only have to authenticate your first connection but will not get asked to authenticate again for any following connections (from and to the same machine) for as long as your first connection exists and even up to n minutes afterwards.

Linux (UQAM servers) and Mac

When connecting from a Linux machine (like our UQAM servers) or from a Mac you can edit your file ~/.ssh/config. For example, if you want to connect to Narval you can add something the following to your ~/.ssh/config:

Replace 'username' with your username on Narval. The 'narval' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. The '10m' means that you will be able to log in without authentication up to 10 minutes after you closed your last connection to Narval from the same machine. Possible time units for ControlPersist are:

    none: seconds, s | S : seconds, m | M: minutes, h | H: hours, d | D: days, w | W: weeks

Combinations are also possible, for example: 1h30m → 1 hour 30 minutes (90 minutes)

Windows users

Check out the wiki of The Alliance:  Multifactor authentication

GEM runners

When submitting anything on clusters of The Alliance with "soumet" you will get asked to authenticate. Until I find why this is the case I suggest you add the following lines to your ~/.ssh/config on Narval:

Like written above. There is nothing you have to replace this time. And keep the:

Host narval
  Hostname localhost

you probably already have as well as everything else you might have in the file.

With this addition to your ~/.ssh/config you will get ask once every 19 years on each machine (narval1, narval2, ...) to authenticate when submitting a job with soumet.

Automated workflows

This refers to connections to clusters of The Alliance for which you are not around to authenticate yourself. For example, automated nightly data transfers or job checks with crontabs.
Have a look at the official wiki page of The Alliance:

    Automation in the context of multifactor authentication

And here are some tips from me:

Contact The Alliance

First you need to contact The Alliance (support@tech.alliancecan.ca) and ask them to "add your username to the group which is allowed to use the robot nodes" and tell them which commands you want to execute (for example 'rsync' or 'squeue' etc.) and what tools or libraries you will be using to manage the automation. They should get back to you with more information - or questions.

Once you have the okay from The Alliance to proceed you need to manage your SSH keys.

Manage your SSH keys

For this you can either use an SSH key you already have or create a new one.

Create a new SSH key

The specific process to generate an SSH key pair depends on the operating system you use. For the Windows PuTTY or MobaXterm clients, see Generating SSH keys in Windows. For a Unix-like environment (Linux, Mac, WSL or Cygwin), see Using SSH keys in Linux. 

Create a new SSH key for Linux (UQAM servers)

On any of our internal UQAM servers go into your ~/.ssh directory:

There you can generate it with the ssh-keygen command: 

When prompted with the question "Enter file in which to save the key (/home/username/.ssh/id_ed25519):" you can either just press enter or change the name to, for example:

    id_ed25519_transfer)

When asked for a passphrase and to repeat it you can just press enter. After this you should have the following two new files:

Upload your public SSH key to the CCDB

Log in on the following CCDB web site:
    https://ccdb.alliancecan.ca/ssh_authorized_keys

In the box in which you are supposed to copy your public SSH key ("Your key will typically start with ..." resp. "Le début de la clé est habituellement ...") first enter the following:

Where "IP_address" is the IP address from which you want to connect and "command" is the command you would like to execute. The Alliance already provides a number of wrapper scripts which allow common actions. Have a look at their wiki:  Automation in the context of multifactor authentication under "Convenience wrapper scripts to use for command=".

Just after the above, only separated by a space, copy-paste the content of your public SSH key (the content of the file ending on *.pub).

For example, if you want to do automated transfers from Narval to UQAM or vice versa, you should put something like:
   

Then give or change the "Description" (optional but recommended) and click on "Add Key".

Issue commands without being asked for authentication

Once you did all the above correctly you can issue the commands you specified in the SSH key above without being asked for authentication. For example, you can now copy data from Narval to UQAM (issued from an internal UQAM server) with:

Here you have to specify the full name (including directory) of your private SSH key. Of course you might want to add your usual rsync keys.

Again, for more information have a look at their wiki:  Automation in the context of multifactor authentication under "Using the right key".

Create host to simplify commands

You can create a "host" which includes the name of your private SSH key to avoid having to put it in every command. For example, add the following lines to your ~/.ssh/config file (on our UQAM servers), so they get picked up by any ssh client invocation:

The 'narr' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. I chose 'narr' for NARval Robot.
Replace 'username' with your username on Narval and 'full_name_of_your_private_key ' with the name and directory of your private SSH key, for example: ~/.ssh/id_ed25519_transfer

Once you added the above to your ~/.ssh/config the command above to transfer data from Narval would shrink down to  this:

Of course you might want to add your usual rsync keys.