Duo Two-Factor Authentication

Due to changes in security policies, we now require two-factor authentication for all KSU Linux servers, including the HPC login servers. For ssh services like the HPC, once you've entered your password, the system will provide you with a menu where you choose your second authentication method. The menu will look something like this:

Duo two-factor login for <netid>

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-7890
 2. Phone call to XXX-XXX-7890

Passcode or option (1-2):

Following your choice, the interaction will be the same as any other time you have used two-factor authentication at KSU.

Note, due to limitations in how Duo works at the command line, if you mistype your password, the server will still prompt you to authenticate with Duo, and then it will tell you that your password is invalid.

Enabling Software To Work With Duo

Certain software that connects to the HPC using SSH may need some additional configuration to work now that we've turned on two-factor authentication. Generally, it's a matter of enabling the "Keyboard Interactive" authentication method instead of simple "Password" authentication. Below are some common software packages used to connect to the HPC and how to enable the "Keyboard Interactive" authentication mode:

OpenSSHBitvise SSH/SCPCyberduckMobaXtermPowerShell

OpenSSH uses a configuration file in your account (if it exists) to configure it's behavior. The file is ${HOME}/.ssh/config, and may or may not exist already in your account.

Here are some steps for creating the file (and its directory) and adding the appropriate setting to the file:

1. Create the directory if it doesn't already exist:

   mkdir -p -m 700 ${HOME}/.ssh
   

2. Edit the file ${HOME}/.ssh/config in your favorite text editor. We need to add the following lines to the beginning of the file:

   Host *.kennesaw.edu
       PreferredAuthentications hostbased,publickey,keyboard-interactive,password
   

   If the file is empty, add the lines to the file and save it.

3. Save the file.

4. Run the following command:

   chmod 600 ~/.ssh/config
   

   The OpenSSH programs ssh, scp, and sftp should allow you to connect, now.

The Bitvise client manages its ssh/scp/sftp options through the client itself. From within the client, load the profile that you want to modify and follow these steps:

1. Click on the Login tab at the top of the window.
2. On the right-hand side of the window, in the Authentication section, click on the "Initial Method" drop-down menu and select "publickey+kbdi".
   • You can also select any of the options that include either kbdi or keyboard-interactive. The "publickey+kbdi" is just the best option, in our opinion.
3. Save the profile by clicking on "Save profile" on the left-hand side of the screen.

Cyberduck uses a configuration file in your account (if it exists) to configure it's behavior. It's actually the same configuration file that OpenSSH uses. On a Mac, you should follow the instructions on this page for OpenSSH; on a Windows machine, you should follow the PowerShell instructions.

MobaXterm works without any changes if you're connecting from the Session menu. However, when you use its local terminal to start ssh, scp, or sftp by hand, it uses a configuration file in your account (if it exists) to configure it's behavior... just like OpenSSH. The file is ${HOME}/.ssh/config, and may or may not exist already in your account.

Here are some steps for creating the file (and it's directory) and adding the appropriate setting to the file:

1. Open a local terminal in MobaXterm. Create the directory if it doesn't already exist:

   mkdir -p -m 700 ${HOME}/.ssh
   

2. Edit the file ${HOME}/.ssh/config in your favorite text editor. If you want to use a Windows editor, the directory should be in:

   C:\Users\<userid>\Documents\MobaXterm\home\.ssh
   

   Where <userid> is your Windows login name. We need to add the following lines to the beginning of the file:

   Host *.kennesaw.edu
       PreferredAuthentications hostbased,publickey,keyboard-interactive,password
   

   If the file is empty, add the lines to the file and save it.

3. Save the file. SSH, SFTP, and SCP should work now.

PowerShell uses OpenSSH which uses a configuration file in your account (if it exists) to configure it's behavior. The file is $HOME\.ssh\config, and may or may not exist already in your account.

Here are some steps for creating the file (and it's directory) and adding the appropriate setting to the file:

1. Open PowerShell.

2. Create the directory if it doesn't already exist:

   New-Item -Path $HOME\.ssh -ItemType Directory
   

3. Create an empty configuration file if it doesn't already exist:

   New-Item -Path $HOME\.ssh\config
   

4. Edit the file $HOME\.ssh\config in your favorite text editor. We need to add the following lines to the beginning of the file:

   Host *.kennesaw.edu
       PreferredAuthentications hostbased,publickey,keyboard-interactive,password
   

   If the file is empty, add the lines to the file and save it.

5. Save the file. The OpenSSH programs ssh, scp, and sftp should allow you to connect.