Hi Mike, Just send mail to admins@wynton.ucsf.edu. Your UCSF-Pharm Chem DUO is the same one that you use on Wynton, so if you reset it there, it will work on the VPN. -- scooter On 2/22/22 10:27, Michael Trnka via Hal2-users wrote:
Hi Tom, I got a new phone over the weekend and I’m having problems connecting via Duo. The old phone had two Duo accounts for UCSF and UCSF-Pharm Chem. On the new phone, I’ve been able to get a new QR code from UCSF to enable this account. However, I’m not sure how to re-enable the Pharm Chem account. When I ssh to plato and ask for a push, it sends it to the old phone still. If I ask for a phone call it will call the new phone. Some people seem to have an option in their Duo Mobile android app settings that enable a new phone by providing a QR code, but my app does not have this option. Can you provide instructions for how I set up the new phone with the Pharm Chem credentials? Thanks,
Mike
On Feb 11, 2022, at 2:05 PM, Tom Ferrin via Hal2-users <hal2-users@cgl.ucsf.edu> wrote:
Our testing today was successful and so we plan to go into production with the TFA VPN setup next Friday, 2/18, at 10am.
How it's going to work: If you currently access RBVI hosts such as plato from outside of UCSF using an application such as ssh, then you already are using the same TFA app that the VPN will be using. If you don't do this, then keep reading. The VPN will use a Duo (https://duo.com/) account named "UCSF PharmChem." Duo is the same TFA used by the UCSF campus, of course, but the Duo app on you phone or tablet supports multiple accounts and the PharmChem account is distinct from your campus account. Beginning next Friday, when you connect to the RBVI VPN you will receive a notification on your phone/tablet asking you to confirm that it's you attempting to connect. You then just click on the Duo "OK, it's me" box and your VPN connection will complete. That's all there is to it!
Testing your account: If you want to test the PharmChem TFA account prior to next Friday's go-live date (advised), then try using the ssh or scp applications to access plato.cgl.ucsf.edu <http://plato.cgl.ucsf.edu> from a location outside of UCSF. You'll first need the Duo app installed on your phone or tablet of course. This campus IT web page describes how to do that: https://it.ucsf.edu/service/multi-factor-authentication-duo. Once registered with Duo and if the PharmChem account is _not_ set up on your device, then when you try to ssh/scp to plato Duo should pop up and tell you that you need a PharmChem account to continue. Follow the instructions Duo provides and you should be able to successfully connect to plato using TFA. If you take too long completing the setup steps you may need to try connecting again because the connection request times out after a while (30 seconds?).
Finally, when connecting the the RBVI VPN please remember that this uses a separate password from your plato/wynton "Kerberos" account password. Also, the only prompt you will get to confirm your connection request is from the Duo app, so you need to have your phone/tablet handy when you initiate the VPN connection. If you run into problems connecting, please send email to "vpn-user@cgl.ucsf.edu".
Implementing TFA on the RBVI VPN let's us complete a major remediation item noted during a recent IT audit, so thanks for your understanding.
Subject: RBVI VPN will be down this Friday 10am - Noon From: Tom Ferrin <tef@cgl.ucsf.edu> Date: 2/9/22, 4:59 PM
To: hal2-users@cgl.ucsf.edu
The RBVI VPN will be down this Friday 10am-noon as we test two-factor-authentication (TFA). If our tests are successful, another email will announce the time-frame for implementing TFA on RBVI's VPN.
Background: UCSF security standards require TFA when accessing UCSF computing resources from outside of UCSF. Because the RBVI VPN currently does not require TFA, we are not compliant with this standard. A recent audit of RBVI computing resources identified this as a critical deficiency requiring high priority resolution.
Our plan is to implement TFA on RBVI's VPN using the same Duo technology as currently implemented when directly ssh'ing into RBVI's host "plato" from outside of UCSF. Access to plato requires use of the Duo "UCSF PharmChem" account. If you are already using this account to access plato, then minimal/no changes will be required to access our VPN in the future.
Please disconnect from the RBVI VPN prior to 10am on Friday, otherwise you risk your connection being severed without warning and potentially loosing any work in progress. _______________________________________________ Hal2-users mailing list Hal2-users@cgl.ucsf.edu https://www.rbvi.ucsf.edu/mailman/listinfo/hal2-users
_______________________________________________ Hal2-users mailing list Hal2-users@cgl.ucsf.edu https://www.rbvi.ucsf.edu/mailman/listinfo/hal2-users