Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Google Authenticator / MFA

&pagelevel(3)&pagelevel

Setting up a user

To set up two-factor authentication, please follow the steps below:

  1. Run the "google-authenticator" to create a new secret key in your home directory. All settings made will be saved in the ~/.google_authenticator file.
  2. After the setup is complete, you should see a QR code. This QR code can be scanned by most multifactor authentication apps.
    1. If the QR code is not displayed, you still have the option of entering the secret key directly in the app
    2. To ensure the QR code can be displayed on the MT9750, the following settings need to be configured:
      1.  Configuration > Terminal Settings (DSS)… > DSS Mode: Unicode, DSS Type: DSS 9763
      2.  Settings > Fonts… > Font with "String.Latin+ 1.2 is supported" (e.g., 13x26)
      Also, the following command must be entered in BS2000 after the settings are saved, and a new connection is established:
      /MODIFY-TERMINAL-OPTIONS CODED-CHARACTER-SET=UTFE
  3. Backup codes are also generated, which should definitely be written down or saved elsewhere. These are useful if you do not have access to your Authenticator app.
  4. The "google-authenticator" will ask for a token in the conclusion to verify the setup.
  5. After successful setup, SSH login will prompt you to enter either your TOTP code (time-based one-time password) or your HOTP code (counter-based).

If you want to connect a new device, you can read the existing key from the ~/.google_authenticator file. Alternatively, you can run the setup again at any time.

An example call may look like the following:

$ google-authenticator 

  
 Do you want authentication tokens to be time-based (y/n) y
  

Your new secret key is: 3D3M4P3HI5D7FBUK6HKATSWVRQ
 Enter code from app (-1 to skip): 343720
 Code confirmed
 Your emergency scratch codes are:
   36875382
   56561142
   43213851
   70351999
   47162852
 
 Do you want me to update your "/home/USER/.google_authenticator" file? (y/n) y
 
 Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases
 your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
 By default, a new token is generated every 30 seconds by the mobile app.
 In order to compensate for possible time-skew between the client and the server,
 we allow an extra token before and after the current time. This allows for a
 time skew of up to 30 seconds between authentication server and client. If you
 experience problems with poor time synchronization, you can increase the window
 from its default size of 3 permitted codes (one previous code, the current
 code, the next code) to 17 permitted codes (the 8 previous codes, the current
 code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
 between client and server.
 Do you want to do so? (y/n) y
 
 If the computer that you are logging into isn't hardened against brute-force
 login attempts, you can enable rate-limiting for the authentication module.
 By default, this limits attackers to no more than 3 login attempts every 30s.
 Do you want to enable rate-limiting? (y/n) y

The saved ~/.google_authenticator file then contains the following options:

$ cat .google_authenticator 
3D3M4P3HI5D7FBUK6HKATSWVRQ
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
36875382
56561142
43213851
70351999
47162852
Powered by Atlassian Confluence and Scroll Viewport.