Multi Factor Authentication (MFA)#

KU Leuven Multi Factor Authentication (MFA) is an augmented level of security. As the name suggests, MFA requires additional steps with human intervention when authenticating. MFA is mandatory for accessing KU Leuven infrastructures. In this page, we explain how to login to the KU Leuven Open OnDemand portal, and how to use SSH clients (such as PuTTY, terminal etc) with and without using an SSH agent.

Note

When connecting from abroad, you first need to login via the VSC firewall page.

Login to Open OnDemand#

Users from all VSC sites can access the Open OnDemand portal at KU Leuven site. For that, proceed to the Open OnDemand portal. If you are affiliated with KU Leuven, click on the KU Leuven logo. Otherwise, click on the VSC logo to choose your institute. You will be then forwarded to the Identity Provider (IdP) of your institute to complete the authentication procedure. Once that succeeds, you will automatically login to the Open OnDemand homepage.

Connecting with an SSH agent#

Using an SSH agent allows to store so-called SSH certificates which various client programs (PuTTY, MobaXterm, NoMachine, FileZilla, WinSCP, …) can then use to authenticate. Getting an SSH certificate involves MFA but this only needs to performed once since a certificate can be used multiple times as long as it remains valid.

You can acquire such an SSH certificate as follows:

  • Start up your SSH agent. Windows users are recommended to use Pageant, while Linux and MacOS users can e.g. rely on OpenSSH.

  • Connect to either the cluster’s login node or to firewall.vscentrum.be with your terminal application of choice and with agent forwarding enabled. With e.g. OpenSSH you can do:

    ssh -A [email protected]
# or
ssh -A [email protected]

    PuTTY users can find the agent forwarding option under the ‘Connection -> SSH -> Auth’ tab. OpenSSH users may also automatically enable agent forwarding in their SSH config file.

  • You will then be shown a URL which you will need to open in a browser:

    Note that when using PuTTY or MobaXterm, simply highlighting the link with your mouse will copy the URL to your clipboard. Avoid using ‘CTRL-C’, or it will send a SIGINT signal interrupting your process instead of performing a copy operation.

  • From the drop-down menu, choose the institute you are affiliated with. Below, we show an example of a KU Leuven user, but one has to pick the institute he/she is affiliated with.

    Choose your institute

  • You will be forwarded to the Identity Provider (IdP) of your institute, and you need to login in a usual way using your registered credentials. For KU Leuven users, the page looks like the following:

    idp_page

  • If you are already connected to the internal network, then you will be only asked to identify yourself with the MFA authenticator app on your personal phone:

    reauthenticate_phone

    This step may not be necessary when connecting from a white-listed IP address, like the internal networks of the Flemish universities, using a static on-site IP as well as the institutional VPN. For example, if you have already logged upfront into your institution’s network then you might not be required to log in again depending on your browser session settings (e.g., accepted cookies).

  • Once you are successfully authenticated, you end up on a page telling you that your VSC identity is confirmed. If you have already performed the previous login in that browser session, you will immediately end up on this page:

    firewall_confirmed

  • An SSH certificate will now be injected back into the agent.

That’s it! You can continue doing your HPC work as usual.

The certificate can be used as long as the agent remains alive and the certificate itself has not expired (they have a lifetime of 16 hours). Do not forget to set up your client so that it contacts your SSH agent when opening new connections (thereby making use of the certificates). For a few common clients the corresponding documentation pages are listed below.

SSH Client name

Purpose

Operating System

PuTTY

text-based terminal

Windows

MobaXterm

text-based terminal

Windows

NoMachine

graphical desktop

Windows, Linux, MacOS

FileZilla

file transfer

Windows, Linux, MacOS

Connecting without an SSH agent#

Most clients (such as PuTTY or MobaXterm) can also be made to work without an SSH agent. Keep in mind, however, that this approach tends to be less convenient since each new connection will require multi-factor authentication.

Certain clients (such as FileZilla, sshfs or NoMachine) furthermore do not show you the firewall link needed for the MFA and hence can only function in combination with an SSH agent holding an SSH certificate.

This being said, the agentless procedure runs as follows:

  • Connect to a Tier-2 login node using your chosen client application (e.g. MobaXterm).

  • The application is then supposed to show the link to complete the MFA procedure (similar to the the previous section).

  • After passing the MFA challenge, you should now be connected to a login node. In plain SSH connections a successful login is rewarded with a welcome message:

    login_node