Skip NavigationSkip to Content

Two-Factor Authentication

In order to comply with the NIH mandate that all ssh logins from outside the NIH network must employ two-factor authentication, moab-ext now requires PIV card authentication on all incoming connections. Connections to moab.ncifcrf.gov are not affected.

Register your PIV card

This is necessary to have the public certificate that is embedded in your PIV card available to the system for authentication. Go to https://authinternal.nih.gov/CertAuthV2/forms/NIHUserCertReg.aspx with any web browser and follow the instructions there. This is similar to registering for webmail but not identical. Note also that when you renew the certificate on your PIV card (yearly for contractors, every three years for government) you will need to re-register the certificate.

Windows Configuration

Download PuTTY-CAC from https://www.risacher.org/putty-cac/. This is a ?portable? set of programs that does not need administrative privileges to install. This version is identical to the standard putty program except it adds the CAPI authentication necessary to use the PIV card. Start putty and load the session for moab-ext. Then select the CAPI menu in the left pane under Connection and SSH.

putty-cac

Check the box to attempt CAPI authentication. Then click on the browse button and select your PIV certificate. (Some users may have more than one cert presented. If so you may need to try each cert to see which one works.) Scroll back to the top of the left pane, select ?Connection? and save your settings. When you now use this session profile you will be prompted to insert your PIV card and enter the PIN.

Commercial products such as HID?s ActivClient can also provide PIV card support but these have not been tested by ITOG staff.

OS/X

An installer that configures the default OS X ssh client to use your SmartCard is available at https://github.nimh.nih.gov/burgintj/MacOSX-SSH-SmartCard. This was written specifically for NIH but has not been tested by ITOG staff.

Linux

Two separate packages must be configured for the Linux desktop. First, pcscd and pcsc-tools needs to be installed and tested against the specific card reader. Second, openSC must be installed and ssh configured to load opensc-pkcs11.so. Much of this will be distribution specific. ITOG staff has gotten it to work on a Dell Latitude E6500 and Ubuntu 15.10. We can offer advice on specific platforms but cannot guarantee support.