...

The Alliance strongly recommends that you generate bypass codes as a backup for when your registered devices are not available. You will also need a bypass code to access your account if you lose all of your second factors. To do that you just have to go onto their web page above: Multifactor Authentication Management
 and click in the button "Generate 10 codes, each valid for one use" resp. "Générer 10 codes, chacun valide pour une seule utilisation" (on the bottom left of the page).

Connecting with multifactor authentication

...

By default you have to authenticate yourself every time you connect to one of the clusters of The Alliance. But you can configure the computer from which you want to connect to one of the clusters of The Alliance in a way so you will only have to authenticate your first connection but will not get asked to authenticate again for any following connections (from and to the same machine) for as long as your first connection exists and even up to 10 n minutes afterwards.

Linux (UQAM servers) and Mac

When connecting from a Linux machine (like our UQAM servers) or from a Mac you can edit your file ~/.ssh/config. For example, if you want to connect to Narval you can add something the following to your ~/.ssh/config:

Replace 'username' with your username on Narval. The 'narval' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. The '10m' means that you will be able to log in without authentication up to 10 minutes after you closed your last connection to Narval from the same machine. Possible time units for ControlPersist are:

    none: seconds, s | S : seconds, m | M: minutes, h | H: hours, d | D: days, w | W: weeks

Combinations are also possible, for example: 1h30m → 1 hour 30 minutes (90 minutes)

Windows users

Check out the wiki of The Alliance:  Multifactor authentication

GEM runners

When submitting anything on clusters of The Alliance with "soumet" you will get asked to authenticate. Until I find why this is the case I suggest you add the following lines to your ~/.ssh/config on Narval:

Like written above. There is nothing you have to replace this time. And keep the:

Host narval
  Hostname localhost

you probably already have as well as everything else you might have in the file.

With this addition to your ~/.ssh/config you will get ask once every 19 years on each machine (narval1, narval2, ...) to authenticate when submitting a job with soumet.

Automated workflows

This refers to connections to clusters of The Alliance for which you are not around to authenticate yourself. For example, automated nightly data transfers or job checks with crontabs.
Have a look at the official wiki page of The Alliance:

...

First you need to contact The Alliance (support@tech.alliancecan.ca) and ask them to "add your username to the group which is allowed to use the robot nodes" and tell them what which commands you want to execute (for example 'rsync' or 'squeue' etc.) and what tools or libraries you will be using to manage the automation. They should get back to you with more information - or questions.

...

When prompted with the question "Enter file in which to save the key (/home/username/.ssh/id_ed25519):" you can either just press enter or change the name to, for example:

    /home/username/.ssh/ id_ed25519_transfer)

When asked for a passphrase and to repeat it you can just press enter. After this you should have the following two new files:

Upload your

...

public SSH key to the CCDB

Log in on the following CCDB web site:
    https://ccdb.alliancecan.ca/ssh_authorized_keys

Paste In the box in which you are supposed to copy your public SSH key (the content of the file ending on *.pub) in the field indicated. Then precede what you just pasted by"Your key will typically start with ..." resp. "Le début de la clé est habituellement ...") first enter the following:

Where "IP_address" is the IP address from which you want to connect and "command" is the command you would like to execute. The Alliance already provides a number of wrapper scripts which allow common actions. Have a look at their wiki:  Automation in the context of multifactor authentication under "Convenience wrapper scripts to use for command=".

Just after the above, only separated by a space, copy-paste the content of your public SSH key (the content of the file ending on *.pub).

For example, if you want to do automated transfers from Narval to UQAM or vice versa, you should put something like:
   

...

Once you did all the above correctly you can issue the commands you specified in the SSH key above without being asked for authentication. For example, you can now copy data from Narval to UQAM (issued from an internal UQAM server) with:

Here you have to specify the full name (including directory) of your private SSH key. Of course you might want to add your usual rsync keys.

...

You can create a "host" which includes the name of your private SSH key to avoid having to put it in every command. For example, add the following lines to your ~/.ssh/config file (on our UQAM servers), so they get picked up by any ssh client invocation:

The 'narr' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. I chose 'narr' for NARval Robot.
Replace 'username' with your username on Narval and 'full_name_of_your_private_key ' with the name and directory of your private SSH key, for example: ~/.ssh/id_ed25519_transfer

Once you added the above to your ~/.ssh/config your the command above to transfer data from Narval would look like shrink down to  this:

Of course you might want to add your usual rsync keys.

...