phys-npps-members-l AT lists.bnl.gov

Subject: ALL NPPS Members

List archive

Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos

From: "Ye, Shuwei" <yesw AT bnl.gov>
To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
Subject: Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos
Date: Fri, 6 Mar 2026 16:46:06 +0000

Dear all,

Following my discussion with the CERN security team regarding their 2FA policy, I have learned that the second authentication factor must be physically separated from the operating system (details here).

In order to comply with CERN's 2FA requirements, I have removed the OTP automation tool from my GitHub repository.

Best regards,

--Shuwei

From: Ye, Shuwei <yesw AT bnl.gov>
Sent: Tuesday, March 3, 2026 8:31 AM
To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
Subject: Re: A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos

Dear all,

To clarify my previous email: the SSH tool I mentioned supports both Linux and macOS.

Here are the installation scripts for each system:

MacOS: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Mac.sh
Fedora/RHEL/Alma: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Alma.sh
Ubuntu/Debian: https://github.com/yesw2000/modern-linuxtools/blob/master/ssh-cern/Install-OTP_tools-Ubuntu.sh

After setting this up on your Mac, Linux machine, or Windows WSL, your connections to CERN lxplus will be much easier:

No more manual OTP code copy/pasting.
You only need to enter your Kerberos password once a week, as long as you connect to lxplus at least once a day.

The usage is:

$ ./ssh-lxplus -h

First-time setup: Please enter your CERN username.

(This input is required only for the first time)

CERN username: yesw

Username 'yesw' saved. Restarting...

Usage: ssh-lxplus [-h|--help] [--version] [--test-otp] [host]

Connect to lxplus (or a specified CERN host) using pass-otp and Kerberos.

host Remote machine matching 'lxplus*' or '*.cern.ch' (default: lxplus.cern.ch)

--version Print the script version and exit

--test-otp Display the OTP code only without making the ssh connection

Examples:

ssh-lxplus

ssh-lxplus lxplus908.cern.ch

ssh-lxplus lxplus959

$ ./scp-lxplus -h

First-time setup: Please enter your CERN username.

(This input is required only for the first time)

CERN username: yesw

Username 'yesw' saved. Restarting...

Usage: scp-lxplus [-h|--help] [--version] [--test-otp] [-r] source... destination

Copy files between the local machine and CERN lxplus using pass-otp and Kerberos.

source... One or more source files/directories

destination Target location (local path or host:path)

-r Recursive copy for directories

--version Print the script version and exit

--test-otp Display the OTP code only without making the scp connection

Examples:

scp-lxplus *.sh lxplus959.cern.ch:/tmp/

scp-lxplus lxplus908:/tmp/dummy.txt .

Cheers,

--Shuwei

From: Ye, Shuwei <yesw AT bnl.gov>
Sent: Monday, March 2, 2026 11:01 AM
To: NPPS members <phys-npps-members-l AT lists.bnl.gov>
Subject: A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos

Dear all,

Inspired by Brett's idea of generating OTPs in the command line, I've developed a tool to automate SSH and SCP access to CERN lxplus using OTP and Kerberos. Once set up, you can simply run ssh-lxplus to connect without the need to manually copy and paste your 2FA code, while seamlessly utilizing your existing Kerberos token for CERN.CH.

You can find the relevant scripts in the repository here: https://github.com/yesw2000/modern-linuxtools/tree/master/ssh-cern/

Setup for Mac: To install the OTP prerequisites and initialize 2FA, download and run the following script:

bash

$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/Install-OTP_tools-Mac.sh
$ bash Install-OTP_tools-Mac.sh

Usage: After setup, download the ssh-lxplus (for SSH connections) and scp-lxplus (for file transfers) scripts:

bash

$ wget https://raw.githubusercontent.com/yesw2000/modern-linuxtools/refs/heads/master/ssh-cern/ssh-lxplus
$ chmod +x ssh-lxplus
$ ./ssh-lxplus

Note: The scripts will ask for your CERN username on the first run and will automatically update themselves to save it for future use.

You can find more details in the documentation here: https://github.com/yesw2000/modern-linuxtools?tab=readme-ov-file#-cern-sshscp-with-automatic-2fa

Cheers,

--Shuwei

From: Viren, Brett
Sent: Thursday, February 5, 2026 12:24 PM
To: Ye, Shuwei
Cc: NPPS members
Subject: Re: [[Phys-npps-members-l] ] Browser-based OTP authenticator for all OS

"Ye, Shuwei" <yesw AT bnl.gov> writes:

> Zhaoyu asked about OTP alternatives to phone apps.

An alternative for anyone like me that lives in the command line:

$ pass otp com/github/me/totp | xclip

*paste*

Ingredients:

- https://www.passwordstore.org/
- https://github.com/tadfisher/pass-otp

-Brett.

[[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Brett Viren, 03/02/2026
  - Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/02/2026
- Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/03/2026
  - Re: [[Phys-npps-members-l] ] A tool of Automated SSH/SCP access to CERN lxplus with OTP and Kerberos, Ye, Shuwei, 03/06/2026