Multi-factor Authentication
To improve security, access to all cluster requires both a public key and multi-factor authentication (MFA). We use the same MFA (Duo) as is used elsewhere at Yale. To get set up with Duo, see these instructions.
You will need upload your ssh public key to our site. For more info on how to use ssh, please see the SSH instructions.
Once you've set up Duo and your key is registered, you can log in to the cluster. Use ssh to connect to your cluster of choice, and you will be prompted for a passcode or to select a notification option. We recommend choosing Duo Push (option 1). If you chose this option you should receive a notification on your phone. Once approved, you should be allowed to continue to log in.
Note
You can set up more than one phone for Duo. For example, you can set up your smartphone plus your office landline. That way, if you forget or lose your phone, you can still authenticate. For instructions on how to add additional phones go here.
Connection Multiplexing and File Transfers with DUO MFA
Some file transfer clients attempt new and sometimes multiple concurrent connections to transfer files for you. When this happens, you will be asked to Duo authenticate for each connection.
SSH Config File
On macOS and Linux-based systems setting up a config file lets you re-uses your authenticated sessions for command-line tools and tools that respect your ssh configuration.
An example config file is shown below which enables SSH multiplexing (ControlMaster
) by caching connections in a directory (ControlPath
) for a period of time (2h, ControlPersist
).
# If you use a ssh key that is named something other than id_rsa,
# you can specify your private key like this:
# IdentityFile ~/.ssh/other_key_rsa
# Uncomment the ForwardX11 options line to enable X11 Forwarding by default (no -Y necessary)
# On a Mac you still need xquartz installed
Host *.ycrc.yale.edu bouchet grace mccleary milgram misha
User NETID
#ForwardX11 yes
# To re-use your connections with multi-factor authentication
# Uncomment the two lines below
#ControlMaster auto
#ControlPath /tmp/%h_%p_%r
#ControlPersist 2h
Host mccleary grace milgram misha
HostName %h.ycrc.yale.edu
Tip
You can change the ControlPath
directory to /tmp
or any other directory, so long as it exists.
CyberDuck
CyberDuck's interface with MFA can be stream-lined with a few additional configuration steps.
Under Cyberduck > Preferences > Transfers > General
change the setting to "Use browser connection" instead of "Open multiple connections".
When you connect type one of the following when prompted with a "Partial authentication success" window.
- "push" to receive a push notification to your smart phone (requires the Duo mobile app)
- "sms" to receive a verification passcode via text message
- "phone" to receive a phone call
MobaXTerm
MobaXTerm is able to cache MFA connections to reduce the frequency of push notifications.
Under Settings > SSH > Advanced SSH settings
set the ssh browser type to scp (enhanced speed)
as seen here:
WinSCP
Similarly, WinSCP can reuse existing SSH connections to reduce the frequency of push notifications.
Under Options > Preferences > Background (under Transfer)
and:
- Set
Maximal number of transfers at the same time:
to 1 - Check the
Use multiple connections for single transfer
box - Click
OK
to save settings
Troubleshoot MFA
If you are having problems initially registering Duo, please contact the Yale ITS Helpdesk.
If you have successfully used MFA connect to a cluster before, but cannot now, first please check the following:
- Test MFA using http://access.yale.edu
- Verify that your ssh client is using the correct login node
- Verify you are attempting to connect from a Yale machine or via the proper VPN
If all of this is true, please contact us. Include the following information (and anything else you think is helpful):
- Your netid
- Have you ever successfully used ssh and Duo to connect to a cluster?
- How long have you been having problems?
- Where are you trying to connect from? (fully qualified hostname/IP, if possible)
- Are you using a VPN?
- What is the error message you see?