Two Factor for firewall opening

It is possible to temporarily add new IPs to the firewall, by using Two Factor Authentification. This enables users participating in Conferences or visiting colleagues, to temporarily open the firewall from a new IP.

Note : This needs to be configured on a frontend - so do this in advance!


The setup requires a second factor (phone/tablet/smartwatch) that can store the secret and display the One Time Password on request. We have tested FreeOTP and Google Authenticator, that can be installed on both Android and Apple iPhone/iPad (Footnote: With iPadOS 13.2, it's been nessesary to remove and reinstall the app, to change/update the secret!) - Do *not* be tempted to install FreeOTP on your computer .. it defeats the purpuse of Multi Factor!


While connected to a frontend, run the command

- it will genereate a secret and present the QR-code:

$ hpc-gen2FA 
A new secret has been generated - enter your LDAP password to activate
the new two factor secret .. this will remove/replace ANY old secrets!
Enter LDAP Password:
Note: Your LDAP Password is your normal password.

You can test your App with this picture - it should say "exampleUser" and the password should change every 30 seconds.

Usage - Linux/Mac/Windows subsystem for Linux

To use the One Time password to open the firewall, simply ssh from your local computer to the machine "otp.hpc.ku.dk" and enter your normal password and the One-time password when prompted:

 % ssh put-your-HPC-username-here@otp.hpc.ku.dk
One-time password (OATH) for `put-your-HPC-username-here': 
Last login: Fri Nov  1 15:22:12 2019 from somewhere.dk

    --== Welcome to HPC/UCPH ==--

Your current IP has been registered and will be added to the firewall
within the next few minutes!

You should be able to connect to any frontend until Sunday.

HPC/UCPH Support

Connection to otp.hpc.ku.dk closed.
There is a few minutes delay, from authenticating to the service, before the temporal IP is known in the firewall.

Usage - PuTTY

With PuTTY on your local Windows, the screens looks like:

  • Set "otp.hpc.ku.dk" as the hostname
  • Select "Never" in "Close window on exit"

The first time you connect, you need to accept the hostkey - check it on the page about ssh

PuTTY will ask for

  • your username (replace 'put-your-HPC-username-here' with your actual username),
  • your password
  • the one-time password from the app

If username, password and One-time Password is accepted, you should get this message from the server.


The One-time password might depend on your timezone .. we have successfully tested this while in a different timezone - but only with phones with Danish SIMs.

We hope you will find this useful! :-)