Our testing today was
successful and so we plan to go into production with the TFA VPN
setup next Friday, 2/18, at 10am.
How it's going to work: If you currently access RBVI hosts such as
plato from outside of UCSF using an application such as ssh, then
you already are using the same TFA app that the VPN will be using.
If you don't do this, then keep reading. The VPN will use a Duo (https://duo.com/) account
named "UCSF PharmChem." Duo is the same TFA used by the UCSF
campus, of course, but the Duo app on you phone or tablet supports
multiple accounts and the PharmChem account is distinct from your
campus account. Beginning next Friday, when you connect to the
RBVI VPN you will receive a notification on your phone/tablet
asking you to confirm that it's you attempting to connect. You
then just click on the Duo "OK, it's me" box and your VPN
connection will complete. That's all there is to it!
Testing your account: If you want to test the PharmChem TFA
account prior to next Friday's go-live date (advised), then try
using the ssh or scp applications to access plato.cgl.ucsf.edu
from a location outside of UCSF. You'll first need the Duo app
installed on your phone or tablet of course. This campus IT web
page describes how to do that: https://it.ucsf.edu/service/multi-factor-authentication-duo.
Once registered with Duo and if the PharmChem account is _not_ set
up on your device, then when you try to ssh/scp to plato Duo
should pop up and tell you that you need a PharmChem account to
continue. Follow the instructions Duo provides and you should be
able to successfully connect to plato using TFA. If you take too
long completing the setup steps you may need to try connecting
again because the connection request times out after a while (30
seconds?).
Finally, when connecting the the RBVI VPN please remember that
this uses a separate password from your plato/wynton "Kerberos"
account password. Also, the only prompt you will get to confirm
your connection request is from the Duo app, so you need to have
your phone/tablet handy when you initiate the VPN connection. If
you run into problems connecting, please send email to
"vpn-user@cgl.ucsf.edu".
Implementing TFA on the RBVI VPN let's us complete a major
remediation item noted during a recent IT audit, so thanks for
your understanding.
The RBVI VPN will be down
this Friday 10am-noon as we test two-factor-authentication (TFA).
If our tests are successful, another email will announce the
time-frame for implementing TFA on RBVI's VPN.
Background:
UCSF security standards require TFA when accessing UCSF computing
resources from outside of UCSF. Because the RBVI VPN currently
does not require TFA, we are not compliant with this standard. A recent audit of RBVI computing resources
identified this as a critical deficiency requiring high priority
resolution.
Our plan is to implement TFA on RBVI's VPN using the same Duo
technology as currently implemented when directly ssh'ing into
RBVI's host "plato" from outside of UCSF. Access to plato
requires use of the Duo "UCSF PharmChem" account. If you are
already using this account to access plato, then minimal/no
changes will be required to access our VPN in the future.
Please disconnect from the RBVI VPN prior to 10am on Friday,
otherwise you risk your connection being severed without warning
and potentially loosing any work in progress.