(Note: you can also use Duo if you already have that app – see below)
If you want to add two-factor authentication to your CS account, download the Google Autheticator app to your phone, and then run the google-authenticator command on one of the CS machines:
google-authenticatorThis will ask you a few questions (see below) and show a QR code, which you scan with the app. Once it’s all set up, you’ll be asked for a Verification Code when you try to log in to the CS machines with a password. Your password and the code (displayed by the app) are the two factors needed for logging in.
When you run the google-authenticator command above, you will be asked a few questions (shortened versions here):
Above are my answers. I’d keep the first two as “yes”, but the others you can change if you want.
Here’s an example of an ssh session using a password and verification code:
$ ssh username@fennel
Password: <not shown here>
Verification code: 123456You will also be asked for the verification code if you log in on the graphical consoles (i.e., sitting in front of one of the lab machines).
Note: if you ever forget your phone, but still need to log in on the graphical console (i.e., in the lab), you can use Cntrl-Alt-F1 to switch to a terminal console. Now log in there (which won’t ask for your verification code), and then temporarily move the ~/.google_authenticator file to another name. Logout from the terminal console and use Cntrl-Alt-F7 (or maybe F8) to switch back to the graphical login screen.
If you want to use Duo instead of downloading the google-auth app to your phone, you can! You still need to run google-authenticator as shown above. Once you get the QR code, do this:
google-authenticator command