phys-npps-members-l AT lists.bnl.gov
Subject: ALL NPPS Members
List archive
Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
- From: "Ye, Shuwei" <yesw AT bnl.gov>
- To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
- Subject: Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
- Date: Tue, 3 Mar 2026 13:31:18 +0000
Dear all,
To clarify my previous email: the SSH tool I mentioned supports both Linux and macOS.
Here are the installation scripts for each system:
- MacOS: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Mac.sh
- Fedora/RHEL/Alma: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Alma.sh
- Ubuntu/Debian: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Ubuntu.sh
After setting this up on your Mac, Linux machine, or Windows WSL, your connections to CERN lxplus will be much easier:
- No more manual OTP code copy/pasting.
-
You only need to enter your Kerberos password once a week, as long as you connect to lxplus at least once a day.
The usage is:
$ ./ssh-lxplus -h
First-time setup: Please enter your CERN username.
(This input is required only for the first time)
CERN username: yesw
Username 'yesw' saved. Restarting...
Usage: ssh-lxplus [-h|--help] [--version] [--test-otp] [host]
Connect to lxplus (or a specified CERN host) using pass-otp and Kerberos.
host Remote machine matching 'lxplus*' or '*.cern.ch' (default: lxplus.cern.ch)
--version Print the script version and exit
--test-otp Display the OTP code only without making the ssh connection
Examples:
ssh-lxplus
ssh-lxplus lxplus908.cern.ch
ssh-lxplus lxplus959
$ ./scp-lxplus -h
First-time setup: Please enter your CERN username.
(This input is required only for the first time)
CERN username: yesw
Username 'yesw' saved. Restarting...
Usage: scp-lxplus [-h|--help] [--version] [--test-otp] [-r] source... destination
Copy files between the local machine and CERN lxplus using pass-otp and Kerberos.
source... One or more source files/directories
destination Target location (local path or host:path)
-r Recursive copy for directories
--version Print the script version and exit
--test-otp Display the OTP code only without making the scp connection
Examples:
scp-lxplus *.sh lxplus959.cern.ch:/tmp/
scp-lxplus lxplus908:/tmp/dummy.txt .
Cheers,
--Shuwei
From: Ye, Shuwei <yesw AT bnl.gov>
Sent: Monday, March 2, 2026 11:01 AM
To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
Subject: A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
Sent: Monday, March 2, 2026 11:01 AM
To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
Subject: A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
Dear all,
Inspired by Brett's idea of generating OTPs in the command line, I've developed a tool to automate SSH and SCP access to CERN lxplus using OTP and Kerberos.
Once set up, you can simply run
ssh-lxplus to
connect without the need to manually copy and paste your 2FA code, while seamlessly utilizing your existing Kerberos token for CERN.CH.
You can find the relevant scripts in the repository here:
https://github.com/yesw2000/modern-linuxtools/tree/master/ssh-cern/
Setup for Mac: To install the OTP prerequisites and initialize 2FA, download and run the following script:
bash
$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/Install-OTP_tools-Mac.sh
$ bash Install-OTP_tools-Mac.sh
Usage: After setup,
download the
ssh-lxplus (for
SSH connections) and scp-lxplus (for
file transfers) scripts:
bash
$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/ssh-lxplus
$ chmod +x ssh-lxplus
$ ./ssh-lxplus
Note: The scripts will ask for your CERN username on the first run and will automatically update themselves to save it for future use.
You can find more details in the documentation here:
https://github.com/yesw2000/modern-linuxtools?tab=readme-ov-file#-cern-sshscp-with-automatic-2fa
Cheers,
--Shuwei
From: Viren, Brett
Sent: Thursday, February 5, 2026 12:24 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS
Sent: Thursday, February 5, 2026 12:24 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS
"Ye, Shuwei" <yesw AT bnl.gov> writes:
> Zhaoyu asked about OTP alternatives to phone apps.
An alternative for anyone like me that lives in the command line:
$ pass otp com/github/me/totp | xclip
*paste*
Ingredients:
- https://www.passwordstore.org/
- https://github.com/tadfisher/pass-otp
-Brett.
> Zhaoyu asked about OTP alternatives to phone apps.
An alternative for anyone like me that lives in the command line:
$ pass otp com/github/me/totp | xclip
*paste*
Ingredients:
- https://www.passwordstore.org/
- https://github.com/tadfisher/pass-otp
-Brett.
-
[[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos,
Ye, Shuwei, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Brett Viren, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/03/2026
Archive powered by MHonArc 2.6.24.