Pic of SecurID card

In order to access our systems remotely, users are assigned a SecurID card. This card assigns a new, pseudo-random password every minute. Users can connect to our systems using a combination of this random password and a short PIN, like your bank account access number. This system ensures that attackers on remote sites cannot intercept passwords as a means of breaking into our systems.

Terminology

  • login.ks - our remote access SSH server. Allows connections over SSH, but only through the SecurID system.
  • Key Fob/SecurID Card - the actual physical hardware that is used by the users to access the system. Displays a constantly changing TOKENCODE on its front, along with an indication of how much longer the code will be valid for. Users are assigned a single card, which should last (barring abuse) for five years. Each costs ~$80.
  • PIN - a 4-8 digit string known only to the user, which is used as a secret password for accessing the system.
    • This should not be the same as any other PIN you have elsewhere, such as bank accounts!
    • While originally this was only set up to allow for digits (0-9), it now supposedly takes random characters.
    • The system may force you to change your PIN periodically.
  • TOKENCODE - a 6-digit string that changes every minute, dispalyed on the SecurID Key Fob.
  • PASSCODE - a string combining the PIN and TOKENCODE, which is what is actually used to enter the system.
    • Example: if your PIN is "1114" and the current TOKENCODE is "541064", then your current PASSCODE is "1114541064"
    • If you do not yet have a PIN, then your PASSCODE is just the TOKENCODE.
  • RSA Ace - name of the server product that actually does the authentication on the back-end.

Connecting to TCB Systems with SecurID

Once you have set your PIN (see below), you can connect to our systems by using SSH to connect to login.ks.uiuc.edu. When you try to connect, you will enter your PASSCODE for access. Once you have connected, you can connect to any other group machine using your standard system password.

Policies:

  • Never reveal your PIN to anybody. I can't emphasize this enough. If we find that you have done so, your card will be disabled.
  • All remote SSH access must go through the SecurID system!
  • Access is only available for full-time group members and graduate students, and specifically approved long-term collaborators and guests (with a deposit).
    • Visitors can still use BioCoRE to use relevant local resources.
    • Guests/collaborators must return the card at the end of their visit or collaboration, or pay $100 for a replacement card.
    • In the case that a card must be mailed to a collaborator, it will be sent in "disabled" form. Once it arrives, you can verify your identity by calling the sysadmin office (217/244-1855); they will then enable the card.
  • Each user is assigned only one SecurID card. It should be treated like all group equipment, and treated with respect.

Initial Setup

When you first get your card, you will need to set your PIN before you can use the card:

  • If you have received your SecurID card through mail, then a default PIN was set by the sysadmin team. Please contact them over the phone to learn what this PIN is set to.
  • If you have just gotten your SecurID card in person, then your PIN is currently unset. You will have to set it on first login, following the instructions.
    1. Connect to login - at a Unix prompt, run ssh username@login.ks.uiuc.edu (using your username).
    2. You will be prompted for your PASSCODE:. As you do not yet have a PIN, enter your six-digit TOKENCODE.
    3. New PIN required; do you wish to continue (yes/no)? [no]. Enter "yes"!
    4. Enter your new PIN containing 4 to 8 characters, or Press <Enter> to generate a new PIN and display it on screen:
      • Enter in a 4-8 character string, letters and numbers only. You will have to confirm it.
      • If you press 'Enter', then it will generate a PIN for you.
    5. Wait until the Tokencode changes then enter the new one and press <Enter>.
    6. You can now authenticate with your new PASSCODE - PIN + TOKENCODE.

Caveats

  • You can only use each PASSCODE once! If you try to use it twice in rapid succession, make sure you wait a minute before attempts.
  • If you mistype your PASSCODE three times straight, your PIN is reset; you will have to enter in a new one after your next successful login (with your original PIN).
  • If you mistype your PASSCODE 10 times straight, your card will be disabled. Contact the sysadmin team for help.
    • Be careful with programs that automatically enter your password! They may reset your account quickly and accidently.
  • If you wish to change your PIN, contact the sysadmin team.

Contacts