P.S. Sorry, I forgot to
mention that wynton also uses the PharmChem Duo account for TFA.
So if you directly access wynton from outside UCSF then you are also good-to-go with TFA on our VPN.
On 2/11/22 2:05 PM, Tom Ferrin wrote:
Our testing today was
successful and so we plan to go into production with the TFA VPN
setup next Friday, 2/18, at 10am.
How it's going to work: If you currently access RBVI hosts such
as plato from outside of UCSF using an application such as ssh,
then you already are using the same TFA app that the VPN will be
using. If you don't do this, then keep reading. The VPN will use
a Duo (https://duo.com/) account
named "UCSF PharmChem." Duo is the same TFA used by the UCSF
campus, of course, but the Duo app on you phone or tablet
supports multiple accounts and the PharmChem account is distinct
from your campus account. Beginning next Friday, when you
connect to the RBVI VPN you will receive a notification on your
phone/tablet asking you to confirm that it's you attempting to
connect. You then just click on the Duo "OK, it's me" box and
your VPN connection will complete. That's all there is to it!
Testing your account: If you want to test the PharmChem TFA
account prior to next Friday's go-live date (advised), then try
using the ssh or scp applications to access plato.cgl.ucsf.edu
from a location outside of UCSF. You'll first need the Duo app
installed on your phone or tablet of course. This campus IT web
page describes how to do that: https://it.ucsf.edu/service/multi-factor-authentication-duo.
Once registered with Duo and if the PharmChem account is _not_
set up on your device, then when you try to ssh/scp to plato Duo
should pop up and tell you that you need a PharmChem account to
continue. Follow the instructions Duo provides and you should be
able to successfully connect to plato using TFA. If you take too
long completing the setup steps you may need to try connecting
again because the connection request times out after a while (30
seconds?).
Finally, when connecting the the RBVI VPN please remember that
this uses a separate password from your plato/wynton "Kerberos"
account password. Also, the only prompt you will get to confirm
your connection request is from the Duo app, so you need to have
your phone/tablet handy when you initiate the VPN connection. If
you run into problems connecting, please send email to "vpn-user@cgl.ucsf.edu".
Implementing TFA on the RBVI VPN let's us complete a major
remediation item noted during a recent IT audit, so thanks for
your understanding.
The RBVI VPN will be
down this Friday 10am-noon as we test two-factor-authentication
(TFA). If our tests are successful, another email will announce
the time-frame for implementing TFA on RBVI's VPN.
Background:
UCSF security standards require TFA when accessing UCSF
computing resources from outside of UCSF. Because the RBVI VPN
currently does not require TFA, we are not compliant with this
standard. A recent audit of RBVI
computing resources identified this as a critical deficiency
requiring high priority resolution.
Our plan is to implement TFA on RBVI's VPN using the same Duo
technology as currently implemented when directly ssh'ing into
RBVI's host "plato" from outside of UCSF. Access to plato
requires use of the Duo "UCSF PharmChem" account. If you are
already using this account to access plato, then minimal/no
changes will be required to access our VPN in the future.
Please disconnect from the RBVI VPN prior to 10am on Friday,
otherwise you risk your connection being severed without
warning and potentially loosing any work in progress.