setting_up_and_using_duo.md 7.52 KB
Newer Older
Caughlin Bohn's avatar
Caughlin Bohn committed
1
2
3
4
5
6
+++
title = "Setting Up and Using Duo"
description = "Duo Setup Instructions"
weight = "8"
+++

Adam Caprez's avatar
Adam Caprez committed
7
8
9
10
11
12
{{% notice note %}}
The information here only pertains to using Duo with Holland Computing Center accounts.
For help with your general University (i.e. TrueYou) account and Duo, contact
the [Huskertech Help Center](https://its.unl.edu/helpcenter/) via email at {{< icon name="envelope" >}}[support@nebraska.edu](mailto:support@nebraska.edu).
{{% /notice %}}

Adam Caprez's avatar
Adam Caprez committed
13
##### **Use of Duo two-factor authentication (https://www.duosecurity.com) is required for access to HCC resources.**
Caughlin Bohn's avatar
Caughlin Bohn committed
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Users will connect via SSH and enter their username/passwords as usual. One additional
authentication step through Duo is then needed before the login is completed. This 
second authentication can be in several different forms (cell phone, YubiKey hardware token), 
and is user-selectable at each login. A brief description of each is provided
[below](#duo-authentication-methods). See the
[Duo Authentication Methods](https://www.duosecurity.com/authentication-methods)
page for more details.

Initial Setup
-------------

Most HCC account holders use the Duo Mobile application on their
smartphone or purchase a YubiKey USB device.

### Smartphone

Adam Caprez's avatar
Adam Caprez committed
31
32
If you *are not* currently using Duo with your TrueYou account:

Caughlin Bohn's avatar
Caughlin Bohn committed
33
34
1.  Install the free **Duo Mobile** application from the
    [Google Play Store](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile), [Apple App Store](https://itunes.apple.com/us/app/duo-mobile/id422663827), or [Microsoft Store](https://www.microsoft.com/en-us/store/apps/duo-mobile/9nblggh08m1g)
35
36
37
38
39
40
41
42
43
2.  ~~Visit one of the following locations.  **Bring your smartphone and a valid photo ID** such as your university ID card or drivers license.~~
    1.  ~~Visit either HCC location [118 Schorr Center, UNL](http://www1.unl.edu/tour/SHOR) |
        [152 Peter Kiewit Institute, UNO](http://pki.nebraska.edu/new/pages/about-pki/maps-directions-and-parking) in-person anytime from 9am-5pm to enroll.~~
    2.  ~~Visit Information Technology Services [115 Otto Olsen, UNK](http://www.unk.edu/campus-map/?q=m15)
        in-person and ask for HCC identity verification.~~

    **Due to current health and safety concerns, Duo activation is entirely remote.** Join one of [HCC's Remote Open Office hours](https://hcc.unl.edu/OOH)
    sessions every Tues/Thurs from 2-3PM CST to activate Duo. Contact [hcc-support@unl.edu](mailto:hcc-support@unl.edu) for alternate
    times if you are not able to attend.
Caughlin Bohn's avatar
Caughlin Bohn committed
44

Adam Caprez's avatar
Adam Caprez committed
45
46
47
    Faculty/staff members with a verified NU telephone number can enroll by
    phone. If you would like an HCC staff member to call your NU telephone
    number to enroll, please email
48
    {{< icon name="envelope" >}}[hcc-support@unl.edu](mailto:hcc-support@unl.edu)
Adam Caprez's avatar
Adam Caprez committed
49
50
51
52
53
    with a time you will be available.

If you *are* currently using Duo with your TrueYou account:

1.  You can request to use the same phone for HCC's Duo as you are using for TrueYou.
54
    Please contact [hcc-support@unl.edu](mailto:hcc-support@unl.edu) with the request
Adam Caprez's avatar
Adam Caprez committed
55
56
    using the email address associated with your TrueYou account. In the email, include
    the last 4 digits of the phone number for verification.
Caughlin Bohn's avatar
Caughlin Bohn committed
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

### YubiKeys

YubiKey devices are currently a one-time cost of around $25 from HCC, or can be
purchased from Yubico and added in-person at either HCC location.
Purchasing a YubiKey from HCC must be done via a University cost object
transfer (HCC cannot accept cash or credit cards). Please bring the cost
object number with you if possible. YubiKeys are also available from the
Husker Tech store in the UNL City Union. Note that
YubiKeys are configured for HCC's Duo, and not for general YubiCloud or
U2F use.

Example login using Duo Push
----------------------------

This demonstrates an example login to Crane using the Duo Push method.
Using another method (SMS, phone call, etc.) proceeds in the same way.
 (Click on any image for a larger version.)

First, a user connects via SSH using their normal HCC username/password,
exactly as before.

{{< figure src="/images/5832713.png" width="600" >}}

{{% notice warning%}}**Account lockout**

After 10 failed authentication attempts, the user's account is
disabled. If this is the case, then the user needs to send an email to
85
[hcc-support@unl.edu](mailto:hcc-support@unl.edu)
Caughlin Bohn's avatar
Caughlin Bohn committed
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
including his/her username and the reason why multiple failed
authentication attempts occurred.  
{{% /notice %}}

After entering the password, instead of completing the login, the user
will be presented with the Duo prompt. This gives the choice to use any
authentication method that the particular account is setup to use. In
this example, the choices are Duo Push notification, SMS message, or
phone call. Choosing option 1 for Duo Push, a request to verify the
login will be sent to the user's smartphone.

{{< figure src="/images/5832716.png" height="350" >}}

Simply tap `Approve` to verify the login.

{{< figure src="/images/5832717.png" height="350" >}}

{{% notice warning%}}**If you receive a verification request you didn't initiate, deny the 
request and contact HCC immediately via email at
105
[hcc-support@unl.edu](mailto:hcc-support@unl.edu)**
Caughlin Bohn's avatar
Caughlin Bohn committed
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
{{% /notice %}}

In the terminal, the login will now complete and the user will logged in
as usual.

{{< figure src="/images/5832714.png" height="350" >}}


Duo Authentication Methods
--------------------------

### Duo Push 
##### [[Watch the Duo Push Demo]](https://www.duosecurity.com/duo-push)

{{< figure src="/images/5832709.png" height="350" caption="Photo credit: https://duosecurity.com" >}}

For smartphone or tablet users (iPhone, Android, Blackberry, Windows
Phone), the Duo Mobile app is available for free. A push notification
will be sent to the device, and users can simply confirm the login with
one tap.

### Duo Mobile Passcodes

{{< figure src="/images/5832711.png" height="350" caption="Photo credit: https://duosecurity.com" >}}

The Duo Mobile app can also be used to generate numeric passcodes, even
when internet and cell service is unavailable.  Press the key icon to
generate a passcode.  The passcode is then entered manually at the login
prompt to complete authentication.

### SMS Passcodes


{{< figure src="/images/5832712.png" height="350" >}}

For non-smartphone users, Duo can send passcodes via normal text
messages which are entered manually to complete login. Please note since
this is an SMS message it may not be free, depending on the details of
the particular cell phone plan.

### Phone Callback

For users with cell phones who prefer not to use any of the above
methods and for those with landline phones, Duo will call the phone and
provide a passcode via automatic voice message. The passcode is then
entered manually to complete the login.

### YubiKey
##### [[Yubico]](http://www.yubico.com/)

{{< figure src="/images/5832710.jpg" height="200" caption="Photo credit: Yubico" >}}

YubiKeys are USB hardware tokens that generate passcodes when pressed.
159
160
161
With HCC clusters, there is no prompt to press on the YubiKey. When the DUO prompt
appears in the terminal, press the YubiKey and it will output a string to the terminal
to authenticate you.
Caughlin Bohn's avatar
Caughlin Bohn committed
162
163
164
165
166
167
168
They appear as a USB keyboard to the computer they are connected to, and
so require no driver software with almost all modern operating systems.
YubiKeys are available from the Husker Tech store at UNL. Users may also purchase them directly from
[Yubico](https://store.yubico.com) if desired; this does require stopping 
by either HCC location in person to have the YubiKey added to the user's account. 
For your convenience, HCC often carries some YubiKeys as well; these may only be purchased via a
Cost Object transfer.