New users can apply for a trial account with limited core/GPU hours without a project description. Applications for a full account need a project description to be reviewed. Up to 15 million core hours per project, a technical review (reasonable usage of resources) is sufficient. Beyond that, a scientific review (importance of research) will be necessary.
New users can apply for a trial account with limited core/GPU hours without a project description. Applications for a full account need a project description to be reviewed. Up to 15 million core hours per project, a technical review (reasonable usage of resources) is sufficient. Beyond that, a scientific review (importance of research) will be necessary.
### 2.1 Multi-factor-authentication
### 2.1 Multi-factorauthentication
For security reasons, you can't login with a combination of username and password. Instead, we use a system called **Multi-Factor-Authentication** (MFA, sometimes 2FA for two-factor authentication), i.e. you need to prove your identity with two different (as in different systems/locations) 'factors':
For security reasons, you can't login with a combination of username and password. Instead, we use a system called **Multi-FactorAuthentication** (MFA, sometimes 2FA for two-factor authentication), i.e. you need to prove your identity with two different (as in different systems/locations) 'factors':
- The first factor is given by the SSH public key. Please send your SSH _public_ key to the HPC team. You can find general information on public key authentication [here](https://www.ssh.com/academy/ssh/public-key-authentication).
- The first factor is given by the SSH public key. Please send your SSH _public_ key to the HPC team. You can find general information on public key authentication [here](https://www.ssh.com/academy/ssh/public-key-authentication).
- The second factor involves the [Cisco Duo app](https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app). To use it, you will need to enroll your account, see [cisco-duo-setup.pdf](uploads/cd518a29f4362a9383c7345a975ed065/cisco-duo-setup.pdf) .
- The second factor involves the [Cisco Duo app](https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app). To use it, you will need to enroll your account, see [cisco-duo-setup.pdf](uploads/cd518a29f4362a9383c7345a975ed065/cisco-duo-setup.pdf) .
If you own a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) hardware token, you can also use it (in [OTP](https://en.wikipedia.org/wiki/One-time_password) mode) as the second authentication factor instead of Cisco Duo. If you are interested in using a Yubikey, please contact the [HPC-Team](mailto:hpc-mgr@uni-koeln.de). Please note: we can't provide Yubikeys to users, but it could be a worthwhile investment for about 50€.
If you own a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) hardware token, you can also use it (in [OTP](https://en.wikipedia.org/wiki/One-time_password) mode) as the second authentication factor instead of Cisco Duo. If you are interested in this solution, please contact the [HPC-Team](mailto:hpc-mgr@uni-koeln.de). Please note: we can't provide Yubikeys to users, but it could be a worthwhile investment for about 50€.
After you have successfully enrolled in Cisco Duo and prepared your SSH key pair, please send your _public_ key to us.
After you have successfully enrolled in Cisco Duo and prepared your SSH key pair, please send your _public_ key to us.
cat ~/.ssh/id_ed25519.pub # copy-paste and send to hpc-mgr@uni-koeln.de
# Procedure for circumventing passphrase at ssh-login (optional):
eval "$(ssh-agent -s)" # set ssh-agent's environment variables
ssh-add ~/.ssh/id_ed25519 # provide private-key identity to agent
ssh-add -l # list managed identities (should show at least one entry)
# Done, or keep reading below for more details
```
| Command | Description |
| Command | Description |
| ----------- | ----------- |
| ----------- | ----------- |
...
@@ -86,11 +77,11 @@ ssh-add -l # list managed identities (should show at least on
...
@@ -86,11 +77,11 @@ ssh-add -l # list managed identities (should show at least on
| `ssh-add ~/.ssh/id_ed25519` | provide private-key identity to agent |
| `ssh-add ~/.ssh/id_ed25519` | provide private-key identity to agent |
| `ssh-add -l` | list managed identities (should show at least one entry) |
| `ssh-add -l` | list managed identities (should show at least one entry) |
Done, or keep reading below for more details.
Please keep reading below if you require more details.
There is always a private (as in **private - don't share, don't give away**) and a public key in an SSH key pair. As with physical keys, one does not want to share private keys or leave their copies in other locations/computers. Instead, create new SSH key pairs on each frequently-used host. Let's outline a **3-step procedure** to get you "keyed-in".
There is always a private (as in **private - don't share, don't give away**) and a public key in an SSH key pair. As with physical keys, one does not want to share private keys or leave their copies in other locations/computers. Instead, we recommend to create new SSH key pairs on each frequently-used host. Let's outline a **3-step procedure** to get you "keyed-in".
