Two-factor authentication (“2FA”)1 is now required to login to Tetralith, Sigma, Berzelius and Freja2 and might be required for other NSC clusters in the future.
We use the authentication method TOTP3. This means that every time4 you login to the cluster (e.g using SSH) you will need to enter both your password and a 6-digit code.
Example:
myuser@mylaptop:~$ ssh x_examp@tetralith.nsc.liu.se
Password: <==== ENTER YOUR NORMAL PASSWORD HERE
Verification code: <===== ENTER THE 6-DIGIT CODE FROM YOUR APP HERE
Last login: Thu Sep 16 11:22:09 2021 from 1984:bb1:cee:0000:1234:abcd:beef:4711
Welcome to NSC and Tetralith!
[...]
[x_examp@tetralith1 ~]$
The 6-digit code is normally displayed by an app on your phone. Unless you prefer another app and know how to use it, use one of the apps we recommend on this page: Google Authenticator or Microsoft Authenticator.
Please note that you will need to enable 2FA separately for each NSC cluster that use 2FA, just as as you set a different password for each cluster. In your TOTP app, the different codes will be clearly marked with “NSC”, the cluster name and your username (e.g “NSC Duolith (x_examp)”)
If you are already familiar with TOTP, click the cluster name below and follow the instructions on that page.
Tetralith, Sigma, Freja, or Berzelius
If you are not already familiar with TOTP, use this guide.
1) Install a TOTP app: if you do not already have a TOTP app installed on your phone5 and know how to use it, read about which apps we recommend and how to install them on this page.
2) Click the cluster name: Tetralith, Sigma, Freja, or Berzelius. You will now end up on the “Request TOTP” page in the NSC user portal (nim.nsc.liu.se). We recommend that you right-click the cluster name and choose “open link in new window” so you can keep this page open for reference as you go through the remaining steps.
3) [For Tetralith, Sigma, and Berzelius] Identify yourself to the NSC portal “Request TOTP” page:
unless you are already logged in to the portal, you will be asked “You need
to prove your identity by logging in via SUPR”. If you are asked to do
so, click the button Login via SUPR
6. In SUPR, you will
see the message “NSC has requested that you prove your identity in
SUPR”. Click the Prove My Identity to NSC
button. You should now
automatically be taken back to the NSC portal (nim.nsc.liu.se). (Not
applicable for Freja users).
4) Click the button to send an email to yourself: On the page
“Request TOTP for …”, click the Request Email
.
For Freja you will first have to enter your email address.
5) Find the email and click the link in it. This link is unique and personal to you. It is only valid for one day. If you do not receive the email from NSC within 15 minutes, check your spam folder. If you cannot find the email, contact NSC Support.
6) [For Tetralith, Sigma, and Berzelius] If too long time has passed from your first login to the NSC portal (in step 3 above), you might be asked to identify yourself again by logging in to SUPR again. (Not applicable for Freja users).
7) You should now see the “Set TOTP for … on …” page. On it should be a QR code “TOTP Secret for Scanning”, the “TOTP Secret as Text” and an empty field “TOTP Verification code”.
8) Open your TOTP app and scan7[^scan2] the QR code shown on the web page. In the app, you should now see the NSC cluster name and next to it a 6-digit number that change every 30 seconds. If your app cannot scan a QR code, you can enter the “TOTP Secret as Text” into the app instead.
9) Enter the 6-digit code displayed by your app into the “TOTP
Verification Code” box and press Continue
. This verifies that your
app is working correctly. You should see a message like “TOTP Set for
… on …”.
10) You have now enabled 2FA for your account! But you should also check that you can still login, so continue the the next step.
11) Wait 10 minutes (to allow the change to propagate to the cluster).
12) Login to the cluster using 2FA:
If you use your password to login using SSH or Thinlinc, the only thing that changes is that you will see an extra prompt “Verification code:” after you have entered your password. At this prompt, enter the 6-digit code shown by your TOTP app next to the NSC cluster name (e.g “NSC Duolith (x_examp): 123456”).
Example:
myuser@mylaptop:~$ ssh x_examp@tetralith.nsc.liu.se
Password: <==== ENTER YOUR NORMAL PASSWORD HERE
Verification code: <===== ENTER THE 6-DIGIT CODE FROM YOUR APP HERE
Last login: Thu Sep 16 11:22:09 2021 from 1984:bb1:cee:0000:1234:abcd:beef:4711
Welcome to NSC and Tetralith!
[...]
[x_examp@tetralith1 ~]$
If you have used an SSH key to log in to Thinlinc, that will no longer work. Due to limitations in the Thinlinc client, when using 2FA you must use your password (i.e password + TOTP code) to login.
Using an SSH key to login using regular (i.e non-Thinlinc) SSH is still possible. You will then be asked to enter your TOTP code before you are logged in.
Remember that for Freja, logins from SMHI are exempt from 2FA, so you will have to login from outside of SMHI to test this.
If you encounter any problems along the way (e.g you did not receive the registration link via email), contact NSC Support
If you are a frequent cluster user and want to limit how often you must enter your TOTP code, read this page.
If you need help configuring your SSH client or file manager to work well with 2FA, read this page. Especially file managers usually need to be configured to use only one connection, otherwise you will have to enter your 2FA code for each file you transfer.
Users that have a need for true unattended logins (automated, non-interactive, where you are not physically at the computer), should read this page.
You can read more about 2FA in this Wikipedia article ↩
Logins from SMHI are exempt. ↩
You can read about the TOTP standard in this Wikipedia article ↩
This is not entirely true, you can share SSH connections to not have to enter your password and TOTP code so often. See this page for details. ↩
You can install a TOTP app on any device, but we recommend that you do not install the TOTP app on the same device you will use to login to the cluster. I.e if you use your tablet to login to the cluster, don’t install the TOTP app there. This helps keep your account secure. ↩
If you are not logged in to SUPR already, you will be asked to do so. Use your normal SUPR credentials (e.g email+password, client certificate or the SUPR 2FA). ↩
In Google Authenticator, click the plus sign, then click “Scan a QR code”. Then point your camera at the QR code on the screen. [^scan2]: In Microsoft Authenticator, click the menu button, then click “Add account”, then choose “Other account”, then point your camera at the QR code on the screen. ↩
Guides, documentation and FAQ.
Applying for projects and login accounts.