Update mfa_login.rst #380
Update mfa_login.rst #380
Conversation
extra clarification
source/access/mfa_login.rst
Outdated
| @@ -7,7 +7,7 @@ Multi Factor Authentication (MFA) | |||
| the name suggests, requires multiple steps when authenticating. The following | |||
| two factors are necessary to connect to the KU Leuven clusters: | |||
|
|
|||
| - A valid private key | |||
| - A valid private key (except when connecting via :ref:`Open OnDemand portal<ood_t2_leuven>`) | |||
| - Access to a VSC-associated university/institution account | |||
There was a problem hiding this comment.
- Access to a VSC-associated university/institution account, with MFA authentication
There was a problem hiding this comment.
I even think nobody needs a private key anymore, the MFA is entirely within the institution authentication.
There was a problem hiding this comment.
The only scenario (that I know) where users require keys are NX/FileZilla/WinSCP users, which makes having ssh keys optional for new users.
Is this PR good to go? Or you still propose a change?
There was a problem hiding this comment.
The only scenario (that I know) where users require keys are NX/FileZilla/WinSCP users, which makes having ssh keys optional for new users.
Is this PR good to go? Or you still propose a change?
Can you try to log in using for instance NX, without a key? For me that seems to work, I get a certificate without ever needing my key and that certificate suffices to connect with NX. This makes me think that the private SSH key is never used when connecting. Unless I am wrong about that (and maybe it is good to check with Peter), I would propose to remove the line A valid private key (except...) completely.
There was a problem hiding this comment.
I think we do indeed need to list the cases when you still need a key. And I think it's best to make the distinction between the KU Leuven Tier-2 and the other VSC infrastructure.
Login in to Hortense with a terminal, you will need a key. However if you use the web interface I'm not sure if you need the key.
There was a problem hiding this comment.
The only scenario (that I know) where users require keys are NX/FileZilla/WinSCP users, which makes having ssh keys optional for new users.
Is this PR good to go? Or you still propose a change?Can you try to log in using for instance NX, without a key? For me that seems to work, I get a certificate without ever needing my key and that certificate suffices to connect with NX. This makes me think that the private SSH key is never used when connecting. Unless I am wrong about that (and maybe it is good to check with Peter), I would propose to remove the line
A valid private key (except...)completely.
I can always login to NX with my certificate. but, I think with e.g. FileZilla, you'd always need a key. If we ditch FileZilla/WinSCP in favor of globus, then of course, we do not require keys at all.
Users of OnDemand do not require SSH key to login. This needed to be made clear in the docs.