Using CRYPTOCards


CRYPTOCard Token

The CRYPTOCard token allows access to the ALCF systems. This security token uses one-time passwords combined with your PIN for controlled access to the login systems. The physical token is a tracked asset for which you are responsible and is keyed to your use. Please safeguard your token as you would your credit cards or house keys: Do not store username, PIN, or other account-related records with the token. Sharing of tokens is strictly forbidden. Please do not mark on the token or alter it in any way.

Enabling Your CRYPTOCard Token

Upon receipt of CRYPTOCard, prior to use, ALCF Service Desk must verify identity and activate token. If this step is not performed  the CRYPTOCard token will not be able to log on to the ALCF resource

ALCF Service Desk
Hours: Monday-Friday 9 a.m. - 5 p.m. (Central time);
Phone: 630-252-3111 or 866-508-9181.

Logging in with Your CRYPTOCard Token

When the CRYPTOCard token is activated, an initial PIN will be provided. This will be a four-digit number that will prepend to the one-time password string generated by the token. Upon initial login, a prompt to change the PIN will appear. PINs must be at least four characters long and must only contain numbers.

  1. Initiate an SSH session using:
ssh <ALCF username>@vesta.alcf.anl.gov

or

ssh <ALCF username>@mira.alcf.anl.gov
  1. A password prompt will be received. At this point, push the button on the CRYPTOCard token once.
  2. An eight-character, one-time password made up of letters and numbers will appear on the token’s display. This one-time password is case-sensitive.
  3. Type your PIN followed immediately by the one-time password at the SSH password prompt.

For example, if your PIN is 1234 and you received the one-time password string ABCD9876, you would type 1234ABCD9876 at the password prompt.

Troubleshooting Your CRYPTOCard

Case 1: If it says 'locked' - The token may be locked due to too many failed attempts. Please contact the ALCF Service Desk to return the defective token and so a replacement can be sent.

Case 2: If you have a PIN for your CRYPTOCard - Once a PIN has been set for your CRPTOCARD, you will need to prepend your PIN to the CRYPTOCard password. Otherwise you will not be able to log in. If you do not remember your PIN, please give us a call so we can verify your identity and reset your Initial PIN.

Case 3: If it does not say 'locked' but still does not work - It is likely that your CRYPTOcard token has fallen out of sync with the server. If you have pushed the button on your CRYPTOcard token more than 10 times without successfully logging in, it will fail to authenticate because it has lost synchronization with the server. Please try connecting to Mira first. If it still fails, please follow the re-sync instructions below.

CRYPTOCard video: "Re-synchronizing Your CRYPTOCard"

Re-Sync Instructions:

If you have pushed the button on your Cryptocard token more than 10
times, it will fail to authenticate because it has lost synchronization
with the server. You can re-synchronize your token using the following procedure:

1. Have your Cryptocard ready.

2. Obtain a challenge sequence:
    - Initiate an SSH session to a host that allows Cryptocard
      authentication (such as mira.alcf.anl.gov). At the password
      prompt, just hit 'Enter'. This will cause the Cryptocard service
      to produce a challenge string consisting of 8 numbers.

3. Hold down the button on your token for a few seconds until the
    display says "Init", then let go.

4. The token will scroll through a series of menu options. When it
    displays "ReSync", hit the button again.

5. The display will say

     Resync?0

6. The number at the end will start cycling from 0 to 9, over and over.

7. Look at the numbers in your challenge string. When the number
    displayed on your token changes to the first number of the challenge
    string, press the button. The display will now show this number, and
    the second digit will start cycling.

8. Enter each of the numbers from your challenge string in the same
    manner, until the display on your token matches the entire challenge string.
    Choose the "<" to backspace and re-enter the previous number if
    necessary.

9. Once you've entered all 8 digits, re-check to make sure they're
    accurate. Then, while all 8 digits are displayed on the token, press
    the button to generate a new password.

10. Enter your PIN followed by the new password, and hit 'Enter'. 
     If successful, you will be logged in to the resource. You're now back 
     in sync with the authentication server.

If you are unsuccessful, you will be presented with another challenge string. 
At this point, you may need to perform the re-sync instructions again.

If there are still problems after completing the re-synchronization procedures, please call the ALCF Service Desk at 630-252-3111 or 866-508-9181(US only, Toll free) so we can run a test on the CRYPTOCard to determine if it is defective. If it is found to be defective we will promptly replace it. CRYPTOCards are the property of Argonne National Laboratory. Please return them to us at:

 ALCF Service Desk
 Argonne National Laboratory
 Bldg. 240, 2.D.21
 9700 S. Cass Ave.
 Argonne, IL 60439

Resetting CRYPTOCard PIN

Please call the ALCF Service Desk at 630-252-3111 or 866-508-9181(US only, Toll free). Once your identity has been verified, we will reset and provide you with a new PIN for your CRYPTOcard.

CRYPTOCard Return

If you no longer need your CRYPTOCard, please return it to this address:

 ALCF Service Desk
 Argonne National Laboratory
 Bldg. 240, 2.D.21
 9700 S. Cass Ave.
 Argonne, IL 60439