Configuring Google Authenticator to Log in to Linstat

Google Authenticator is an app that runs on your smartphone. Once configured, when you try to log in to Linstat from outside the United States the app will generate a code which you must enter before giving your password. Using Google Authenticator takes some configuration, but does not send all your network traffic through an intermediary like VPN or Winstat. This makes it a good choice for Linstat users outside the United States who are concerned about the performance of their interactive sessions. (How you connect has no bearing on how quickly jobs run.)

Configuring Google Authenticator requires a connection to Linstat. If you will be traveling we suggest configuring it before you leave the United States; otherwise you'll need to connect using VPN or Winstat once to set up Google Authenticator. Keep in mind that as long as you're in the United States you won't be asked to use Google Authenticator even if you have it configured.

Installing Google Authenticator

The Google Authenticator smartphone app can be installed for free by searching the application marketplace for your smartphone, or from these links:

Configuration on Linstat

Once the application is installed, log into Linstat and type google-authenticator. Answer y to all the questions it asks. The result will look similar to the following:

linstat1.ssc.wisc.edu> google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/example@linstat1.ssc.wisc.edu%3Fsecret%3DLNP6YAQQSXZ7TFN5
Your new secret key is: LNP6YAQQSXZ7TFN5
Your verification code is 007939
Your emergency scratch codes are:
  52302031
  85960129
  70252895
  88603301
  62022909
Do you want me to update your "/home/d/dtest/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Configuration on Your Phone

Open the Google Authenticator app on your phone, and tap the icon to add a new account (the pencil in the upper right on iPhone, the three dots in the upper right on Android, the + in a circle at the bottom on Windows Phone). You can either select Scan Barcode or Manual Entry to enter the needed settings.

Scan Barcode

Copy the URL that the Linux google-authenticator command produced. It will be similar to:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/example@linstat1.ssc.wisc.edu%3Fsecret%3DLNP6YAQQSXZ7TFN5

Paste it into a web browser on your PC or Mac and it should produce a square (QR) barcode. Align your phone's camera with the code on your monitor—you may need to adjust the distance between your phone and the screen before the phone will recognize it. The app should automatically add a code on the main screen. The app will call it username@linstat1.ssc.wisc.edu (or whichever Linstat you were logged into) but it will work for the entire Linstat cluster.

Manual Entry

The code you want is also produced by the google-authenticator command; it's listed on this line of output:

Your new secret key is: LNP6YAQQSXZ7TFN5

Give the account a name like Linstat and enter the code where it says Key. Make sure Time Based is checked.

Configuration in SecureCRT

If you connect to Linstat from a Mac or Linux computer, or from a Windows computer using PuTTY, no further configuration is needed. However, SecureCRT does need to be configured to ask for the verification code.

(Recall that if you're connecting remotely and not using VPN you cannot use X-Win32. SecureCRT and PuTTY are good alternatives, though neither of them can display graphics without forwarding them to a separate program like X-Win32 or Xming.)

Open the Properties for your Linstat session.

Open the Properties of your Linstat session

Under Category on the left, click Connection and then SSH2. In the Authentication section, select Keyboard Interactive and click the up arrow until it is the top choice.

Under connection, SSH2, make Keyboard Interactive the top Authentication method

Save the session, and from now on when you connect you'll be prompted for your verification code before your password.

Last Revised: 3/20/2017