Have a look at the official wiki page of The Alliance:
Below you find some tips from me:
You can enroll and manage your Alliance account into multifactor authentication by logging in to the following CCDB web site:
Multifactor Authentication Management
Follow the instructions available on the following site:
Multifactor authentication description
The Alliance strongly recommends that you generate bypass codes as a backup for when your registered devices are not available. You will also need a bypass code to access your account if you lose all of your second factors.
Once multifactor authentication is activated for you you will see the following message when connecting to one of the clusters of The Alliance:
Enter a passcode or select one of the following options: 1. Duo Push to name_of_your_device Passcode or option (1-1): |
If you are using Duo Mobile you can now either
By default you have to authenticate yourself every time you connect to one of the clusters of The Alliance. But you can configure the computer from which you want to connect to one of the clusters of The Alliance in a way so you will only have to authenticate your first connection but will not get asked to authenticate again for any following connections (from and to the same machine) for as long as your first connection exists and even up to 10 minutes afterwards.
When connecting from a Linux machine (like our UQAM servers) or from a Mac you can edit your file ~/.ssh/config. For example, if you want to connect to Narval you can add something the following to your ~/.ssh/config:
| Host narval Hostname narval.computecanada.ca User username ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m |
Replace 'username' with your username on Narval. The 'narval' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config.
Check out the wiki of The Alliance: Multifactor authentication
Have a look at the official wiki page of The Alliance:
Automation in the context of multifactor authentication
And here are some tips from me:
First you need to contact The Alliance (support@tech.alliancecan.ca) and tell them what commands you want to execute (for example 'rsync') and what tools or libraries you will be using to manage the automation. They should get back to you with more information - or questions.
Once you have the okay from The Alliance to proceed you need to manage your SSH keys.
For this you can either use an SSH key you already have or create a new one.
The specific process to generate an SSH key pair depends on the operating system you use. For the Windows PuTTY or MobaXterm clients, see Generating SSH keys in Windows. For a Unix-like environment (Linux, Mac, WSL or Cygwin), see Using SSH keys in Linux.
On any of our internal UQAM servers go into your ~/.ssh directory:
| cd ~/.ssh |
There you can generate it with the ssh-keygen command:
| ssh-keygen -t ed25519 |
When prompted with the question "Enter file in which to save the key (/home/username/.ssh/id_ed25519):" you can either just press enter or change the name to, for example:
/home/username/.ssh/id_ed25519_transfer)
When asked for a passphrase and to repeat it you can just press enter. After this you should have the following two new files:
| id_ed25519_transfer # private key - never share!!! id_ed25519_transfer.pub # public key |
Log in on the following CCDB web site:
https://ccdb.alliancecan.ca/ssh_authorized_keys
Paste your public SSH key (the content of the file ending on *.pub) in the field indicated. Then precede what you just pasted by:
| restrict,from="IP_address",command="command" |
Where "IP_address" is the IP address from which you want to connect and "command" is the command you would like to execute. The Alliance already provides a number of wrapper scripts which allow common actions. Have a look at their wiki: Automation in the context of multifactor authentication under "Convenience wrapper scripts to use for command=".
For example, if you want to do automated transfers from Narval to UQAM or vice versa, you should put something like:
restrict,from="132.208.147.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" full_content_of_public_SSH_key |
Then give or change the "Description" (optional but recommended) and click on "Add Key".
Once you did all the above correctly you can issue the commands you specified in the SSH key above without being asked for authentication. For example, you can now copy data from Narval to UQAM (issued from an internal UQAM server) with:
| rsync -e "ssh -i ~/.ssh/id_ed25519_transfer" username@robot.narval.alliancecan.ca:source destination |
Of course you might want to add your usual rsync keys.
Again, for more information have a look at their wiki: Automation in the context of multifactor authentication under "Using the right key".
You can create a "host" which includes the name of your private SSH key to avoid having to put it in every command. For example, add the following lines to your ~/.ssh/config file, so they get picked up by any ssh client invocation:
| Host narr Hostname robot.narval.alliancecan.ca User username Identityfile full_name_of_your_private_key Identitiesonly yes Requesttty no |
The 'narr' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. I chose 'narr' for NARval Robot.
Replace 'username' with your username on Narval and 'full_name_of_your_private_key ' with the name and directory of your private SSH key, for example: ~/.ssh/id_ed25519_transfer
Once you added the above to your ~/.ssh/config the command above to transfer data from Narval would shrink down to this:
| rsync narr:source destination |
Of course you might want to add your usual rsync keys.