Two Factor Authentication (WinAuth)
Once you have WinAuth installed on your Windows machine, you will need to ssh to apps0.cs.toronto.edu and log in with your normal CSLab credentials.
On Windows 10, you can accomplish this by clicking the Windows Start icon, then scrolling to and clicking on Windows System, then clicking Command Prompt.
In the Command Prompt, type in 'ssh -l
From apps0, ssh to 2factor.cs.toronto.edu.
On login, you will be prompted to enter your CSLab password, and then to choose a new password. This new password will be the one you will always use when connecting to 2factor.cs in the future, so choose something that you can remember.
After the new password, you will be presented with a screen with a QR code, a secret key, a verification code, and emergency scratch codes. You should store the emergency codes in a safe place that is -not- on the computer where you will generating the auth token. These codes are for emergency recovery if you lose your winauth installation for any reason. That being said, we can always reset your credentials if you lose them.
You will be prompted with a number of questions related to the authenticator setup. For reference, here are choices we have found to work (essentially, 'y' to all questions):
Do you want me to update your "/u/[username]/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
You will then be disconnected from 2factor.cs
On your Windows 10 machine, open WinAuth, and click the Add button in the main WinAuth window:
Choose “Authenticator” as the type.
With the Authenticator window open, in the Name column, type in a name (e.g. CSLab Authenticator).
Type or copy/paste the key code from the line of “Your new secret key is:” into the column area under 'Enter the Secret Code for your authenticator'.
Click the option for 'Time-Based'.
Click the Verify Authenticator button to check the key is valid and you will see the first code.
Click the OK button to save the authenticator.
A Protection window will appear asking how you would like to protect your WinAuth authenticators.
You can choose which of the available mechanisms you wish to use to protect the local authenticator account on your machine from local attacks, e.g. malware.
If you choose to set a password instead of locking it to the current computer/user, then you will be required to enter this password when you wish to use WinAuth.
Click OK when done.
You will now see your authenticator with the current code and a timer showing it counting down.
From this point on, when you ssh to 2factor.cs.toronto.edu you will use the local password that was set up at the beginning of this process, and the auth token that WinAuth provides at the time. This code will continually cycle but is in sync with the server, so as long as you enter the code that is displayed at the time, it should be accepted.
From 2factor.cs, you can then log into any CSLab machine (apps servers, compute servers, slurm scheduler, etc) without needing to provide your CSLab credentials.