Two Factor Authentication FAQ
This article will soon be migrated to STAT KB0013456
Basic information
ssh
This Duo message will prompt you to enter a passcode or to select which method to authenticate by. You can choose to authenticate via Duo Push (in the Duo mobile app), through a phone call, or by entering a passcode that is sent via SMS to your phone. After confirming your login by one of the previous methods, you will see the familiar "Welcome to O2 (Orchestra 2)!" message and will have finished logging into the cluster.
DESKTOP:~$ ssh abc123@o2.hms.harvard.edu
Password: [input your account password]
Duo two-factor login for abc123
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-1234
2. Phone call to XXX-XXX-1234
3. SMS passcodes to XXX-XXX-1234
Passcode or option (1-3): 1
Pushed a login request to your device...
Success. Logging you in...
Welcome to O2 (Orchestra 2)!
scp
/sftp
/rsync
Commands like scp
, sftp
, or rsync
will still work as expected when using the transfer cluster transfer.rc.hms.harvard.edu.
Once you submit the scp
/sftp
/rsync
command to transfer data, you will receive a notification via your default Duo method (e.g. push, phone, sms) to authenticate if you are connecting from outside the HMS network. If you don't have a default DUO Method setup, then all scp/sftp/rsync or similar non-interactive commands will just hang.
Please visit this page on how to setup default duo method. For more information on transferring data to/from O2, please reference this page.
DESKTOP:~$ sftp abc123@transfer.rc.hms.harvard.edu
Password: [input your account password]
# now Duo will contact you via your preferred method
# once you've successfully authenticated, you will be connected:
Connected to abc123@transfer.rc.hms.harvard.edu.
sftp>
Additionally, when using scp or sftp from the command line, you can also configure ssh
parameters as well. This is useful for if you need to set up keep-alives to hold the process open, for example (see below for graphical options):
DESKTOP:~$ scp -o TCPKeepAlive=yes abc123@transfer.rc.hms.harvard.edu
For more keep-alive options, you can try some settings on this page (use them with -o
in the above command).
SFTP/SCP applications like Filezilla, WinSCP, and Transmit
Transferring data to or from O2 using the transfer cluster (transfer.rc.hms.harvard.edu) via an SFTP/SCP application like Filezilla will require two factor authentication from outside of the HMS network. For information on transferring data to/from O2, please reference this page.
When you connect to transfer.rc.hms.harvard.edu
with Filezilla or an equivalent program, your default Duo method will be used to authenticate. If Duo push is your preferred method, then you'll get a notification from the Duo app, or if a phone call is your preferred method, you'll get a call, etc. Once you have confirmed via Duo, you will be able to transfer files using your SFTP/SCP application.
In order to reduce the number of times you need to authenticate via Duo, you can enable the keep-alive option in your SFTP/SCP application. In FileZilla, this is located under Settings > Connection > FTP. Click the "Send FTP keep-alive commands" checkbox to enable sending keep-alive commands to retain your Filezilla connection for longer periods of time (and prevent needing to authenticate with Duo for your next transfer):
The equivalent option for enabling keep-alive commands in WinSCP is under the Advanced Site Settings menu, under Connection:
Transmit requires modification of several settings to reduce the number authentication requests via Duo. Under Preferences > Advanced, select "Try to keep idle connections alive", as well as Preferences > Advanced > Advanced Server Settings > select "Tickle server during long transfers". You can also increase the number of seconds specified in "Connect Timeout" under Advanced Server Settings.
Additionally, Transmit takes advantage of Mac's App Nap, which can extend your battery life by putting inactive applications into a suspended state where they aren't able to use system resources. If App Nap is enabled for Transmit and the application is put into the background, you will get a Duo two-factor authentication request once you move Transmit to the foreground and try to transfer files to or from O2. You can prevent Transmit from using App Nap by running in your local terminal:
$ defaults write com.panic.Transmit NSAppSleepDisabled -bool YES
Caveat:
It's worth noting that all of these tools (and probably more) will behave as expected only if you are doing typical drag-and-drop activities inside the open session. If you are a user that uses a file manager to make edits to files in order to circumvent having to use a terminal-based text editor, if you perform some action such as right-click → edit, then save your edits afterward to re-upload to O2, you WILL be prompted to authenticate every single time you do this. This is because these programs typically open brand new connections to deal with such operations, which the cluster interprets to be brand new log-ins. The workaround to this is obviously to only perform drag-and-drop operations, as these use the existing open connection.
Of particular note, MobaXterm will prompt you for re-authentication every time even though you are performing a drag-and-drop activity.
We are looking into potential configuration settings or alternate offerings that may change the above behavior, and will modify this page accordingly if anything is found.
If your workflow is impacted by this (e.g. a local edit/re-upload workflow), It is strongly recommended that you find some alternate means of file editing that you are comfortable with. nano
is a solid entry-level terminal-based text editor, but is much less feature-rich than other programs such as vim
or emacs
, which have non-trivial learning curves. If you absolutely must use the mouse in your editing, you can download certain text editors with Linux support directly to O2 (such as Sublime Text), and use them over an active X11 connection. You will experience some latency, especially as the file you are looking at increases in size, but you will be able to edit your file and have full mouse capabilities. If you have questions about this option, please contact us (see below) and we can assist you in setting this up in your local cluster environment).