锘匡豢<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; 聽 }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Starting with Two-Factor Authentication</h2> <p>"Authentication" is the process where you digitally prove who you are. Usually, your identity is verified when you type in your username and password. As you should never(!) share your password with someone else, only you can provide the correct password to your digital identity. </p> <p>Instructions regarding 2FA for SSH access can be found <a href="#2fa_ssh">below</a>.</p> <p> At CERN, you have basically one password which is attached to your CERN account and the <a href="https://auth.cern.ch">Single Sign-On portal</a> is the central instance for authentication. Please report to us whenever you are asked for your CERN password outside the <a href="https://auth.cern.ch">Single Sign-On portal</a> portal. </p> <p><center><img border="0" src="/recommendations/images/auth.cern.ch.png" width="70%"></center></p> <p>For some services, "just" knowing a password might not be sufficient as passwords get regularly stolen or lost. "Two-Factor Authentication" is an enhanced method that requires not only you knowing something (a password) but also you possessing a physical device (hardware token, phone, ...). The following services are thus requiring "Two-Factor Authentication":</p> <p>Password authentication is suitable for many users who visit CERN services for their daily tasks (e.g. attending Indico events, accessing the CERN Marketplace). For CERN users who have access to critical systems, however, protecting their account with only a password is not enough since passwords are regularly lost or stolen. This, hence, presents an essential security risk. "Two-Factor Authentication" is an enhanced method that requires not only that you know something (a password) but also that you possess a physical device like a hardware token or a phone with an authentication app. If a CERN user is required to access a critical service, they must enable Two-Factor Authentication for themselves. Once Two-Factor Authentication is enabled it must be used for every login (typically once per day) unless it鈥檚 disabled. Users of the following services must enable Two-Factor Authentication for themselves: <ul> <li>Critical applications that are used within the CERN Finance Department or in the CERN Computer Security Team;</li> <li>Any remote access gateway used to access the Technical Network;</li> <li>Access to sensitive services used for the internal infrastructure of the CERN IT Department.</li> </li> </ul> <p> This list will increase over time as more services enforce Two-Factor Authentication. Ultimately, any CERN user whose account could be abused to inflict significant damage to CERN should have their account protected using Two-Factor Authentication. Even if you are not accessing one of these critical services you are welcome to enable it for yourself as an additional security measure! </p> <p> CERN Single Sign-On offers two options for registering a second factor: </p> <ul> <li> A One-time-password application running on your smartphone (for example andOTP, FreeOTP Authenticator, Google Authenticator, ...); </li> <li> A WebAuthn token generator, such as a Yubikey or some modern fingerprint readers. </li> </ul> <p> <b>It's essential that your second authentication factor is physically separated from your main working devices.</b> That's why Two-Factor Authentication mechanisms are either physical tokens (e.g. a physical card with a chip, a Yubikey) or an app on your smartphone (e.g. a dedicated banking app, or an app generating one-time passwords / OTP. <h3>Obtaining, managing and dealing with lost 2nd factor</h3> <p> Please consult this ServiceNow Knowledge Base article <a href="https://cern.service-now.com/service-portal?id=kb_article&n=KB0006587">KB0006587</a>. For more general questions, please consult our <a href="https://auth.docs.cern.ch/trouble-shooting/2fa-tips/">FAQ</a>. </p> <h3>"WebAuth" prerequisites on Linux systems</h3> <p> As your web browser needs to interact with the WebAuth token during registration or authentication, it needs to be authorized to do so. Unfortunately, generic support for WebAuth hardware tokens was added <a href="https://github.com/systemd/systemd/pull/13357">only very recently</a> to <tt>systemd</tt>/<tt>udev</tt> itself. Some distributions (e.g. Fedora, Ubuntu) have other solutions in place by default, but this is not the case for all distributions yet. </p> <h4>CERN CentOS 7</h4> <p> A package has been added to CERN CentOS 7 (also available in EPEL): <tt>u2f-hidraw-policy</tt>. You just need to unplug/replug the device into your system after installing it. </p> <h3 id="2fa_ssh">2FA for SSH</h3> <p> Two-Factor Authentication also works to protect Linux servers via SSH! If you are a system manager interested to enable it, just include our <a href="https://gitlab.cern.ch/ai/it-puppet-module-multifactor/">multifactor Puppet module</a> or check our code on <a href="https://cern-cert.github.io/pam_2fa/">Github</a>. </p> <p> The same tokens (Time based One Time Passwords, TOTP, using an Authenticator App) and Yubikeys are supported for SSH access. TOTP codes generated by your authenticator app configured on the SSO can be directly used for SSH access as well. </p><p>To use your Yubikey(s) for SSH access, you need to register your key on this <a href="https://sshsetup.web.cern.ch">dedicated website</a>. While CERN-issued Yubikeys can be directly registered, using your private Yubikey for SSH requires custom-configuration and sending the secrets to the CERN Computer Security Team.</p> <h3>Support</h3> <p> A series of questions and their answers are published on this <b><a href="https://auth.docs.cern.ch/trouble-shooting/2fa-tips/">FAQ</a></b>. For further questions or help, please contact the CERN Service Desk at <a href="mailto:Service.Desk@cern.ch">Service.Desk@cern.ch</a>. </p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>