Diff for "DukeAuthentication"

Accessing Duke's Systems and Logging In

Note that the systems described on this page are in the process of being implemented.

Implementation is expected to be complete by 2017.

Web Page Access

Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with Duke NetIDs. Before accessing restricted pages your Duke NetID, it's password, and a second authentication check must be performed.

If you do not have a Duke NetID contact the Lab for sponsorship.

Setup your own 2nd level of authentication. (Called multi-factor or two-step authentication.) The first step is to login using your Duke NetID.

Be sure to have cookies turned on for all of the above.

Access to the Unix prompt with SSH

For most people the Babase web interface is all that's needed. More advanced users, particularly the data managers, have access to the Unix command prompt using SSH.

The Duke VPN

To use ssh you must first sign in to the Duke VPN. Most will use the Duke-supplied VPN software but FOSS users may wish to use the Open Source openconnect program instead. openconnect is probably already packaged by your OS supplier so try installing the OS supplied package first.

Basic openconnect usage

The openconnect command must be run as root.

The usual command for this is:

• openconnect -u YourDukeNetID --authgroup '-Default-' https://vpn.duke.edu/

Supplying your NetID and the authgroup saves you a bit of typing later.

You will be prompted for a password. This is your Duke NetID password.

The Duke VPN uses TCP port 443 at the Duke end. It also uses UDP port 443 (although this is undocumented). Your firewall will need to be configured to allow outbound traffic to these ports. This will probably not be a problem. TCP 443 is used for https connections and will typically already be open. Most firewalls are not configured using the most secure "default deny" policy and so allow users on the LAN to connect to any port at all at the remote end.

The alternative to opening outbound connections to UDP port 443 is to use the --no-dtls argument. This will also work should Duke change their configuration to use a different UDP port.

Advanced openconnect usage

The problem with the above command, and the Duke supplied VPN software, is that both the routing and the DNS server used by your box are changed. This can cause problems, from not being able to connect to non-web-based email servers to problems accessing local LAN services like X clients or printers. Fortunately there is a solution that sets up what amounts to a local virtual machine, though which you then connect to the Duke side of things. This is established using the vpnc-script-sshd helper script as follows (note the \ line continuation character):

• openconnect -u YourDukeNetID --script=/usr/share/vpnc-scripts/vpnc-script-sshd \ --authgroup '-Default-' https://vpn.duke.edu/

The path to the vpnc-script-sshd script may vary on your system. The above path is for Debian based systems.

The next step is to use the new virtual machine. (Really, this is a new network namespace on your local box.)

Connecting with SSH

When connecting with SSH Duke requires you use 2-factor authentication. But it's not always clear what sort of password must be entered where. These are the various prompts and how to respond to them:

• Password: This is a request for your Duke NetID password. You can skip this prompt
  • by configuring ~/.ssh/authorized_keys, adding your public key to the file as documented in sshd_config(5).
• Passcode or option ...: The options are fairly clear. The passcode requested is
  • a one time password. These may be obtained from the Duke

    multi-factor authentication site or generated by YubiKey hardware.