Two-factor authentication is becoming a security standard for large organizations. Many of you are already accustomed to using Duo to authenticate to any University services.

In order to help ensure a more secure network, two-factor authentication is now required for logging into OSU Engineering servers for terminal or SFTP access.

This can cause problems for those not using an interactive terminal session, as there is an additional prompt that requires a response and the connection fails silently.

We can bypass the need for DUO authentication by setting up SSH Keys for our applications that use SFTP

Setup Guides

This guide only applies to Windows 11 and newer versions of Windows 10 (build 1809+). For older versions of Windows, please follow the instructions under "Using PuTTY" or check Microsoft's website on how to enable OpenSSH Client for Windows.

Steps

  1. Open the Command Prompt app 

  1. At the command line prompt, type ssh-keygen -t rsa
  2. You will then be asked to choose a save location for the keys. You can choose the default by pressing enter. Then hit enter two more times to skip creating a passcode.
  3. Still in the terminal paste the following command: type %UserProfile%\.ssh\id_rsa.pub | ssh your_username@access.engr.oregonstate.edu "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys". This will publish your public key to the engineering servers. If you saved the key to a location other than the default, replace %UserProfile%\.ssh\id_rsa.pub with this location, such as C:\Users\your_username\.ssh\my_key.pub.
  4. Enter your password. You will be presented with a Duo two-factor prompt. Enter 1 and press enter. This will send a request to your Duo Mobile app which you will need to accept

  1. Test your SSH Keys by typing ssh your_username@access.engr.oregonstate.edu -i %UserProfile%\.ssh\id_rsa at the terminal command line prompt. If you saved the key to a location other than the default, replace %UserProfile%\.ssh\id_rsa with this location, such as C:\Users\your_username\.ssh\my_key. If successful, you will connect without having to enter a password or do two-factor authentication!

Using your SSH Keys with FileZilla

  1. First, download FileZilla (available here

  2. Open FileZilla and go to File->Site Manager

Open Site Manager

  1. Create a New Site and name it "access"
  2. To the right in the General Tab, Select SFTP for the Protocol and enter the Host as access.engr.oregonstate.edu.
  3. For Logon Type select Key file, enter your username for User, and then browse to the location of your `id_rsa' file. You may have to change the dropdown to "All files (*.*)" in the File Explorer window to show your "id_rsa" file.

  1. Click Connect at the bottom and you should now be connected to Flip without the need of two-factor authentication!

Generating your SSH Key

  1. Launch the mac terminal.app (/Applications/Utilities/Terminal.app

 

  1. At the command line prompt, type ssh-keygen -t rsa
  2. You will then be asked to choose a save location for the keys. You can choose the default by pressing enter. Then hit enter two more times to skip creating a passcode
  3. Still in the terminal, type ssh-copy-id -i ~/.ssh/id_rsa.pub your_username@access.engr.oregonstate.edu. This will publish your public key to the engineering servers.
  4. When prompted enter your password
  5. You should now see the two-factor Duo authentication. Enter 1 to send a push to your Mobile Duo app
  6. Test your SSH Keys by typing ssh access.engr.oregonstate.edu at the terminal command line prompt. If successful, you will connect without having to enter a password or do two-factor authentication!

Using your SSH Keys with Cyberduck (https://cyberduck.io/)

  • Launch Cyberduck and click the Open Connection button
  • Set  connection type to  `SFTP` in the dropdown menu
  • Set the server to "access.engr.oregonstate.edu"
  • Enter your ONID username 
  • Do not enter a password and change SSH Private Key from `none` to the location of your `id_rsa` file. If you followed the default settings it should already be listed without needing to browse
  • Finally click the Connect button and you will be logged in without the need for a password or 2-factor authentication

Using your SSH Keys with Adobe Dreamweaver

Dreamweaver does not like the the SSH Key format generated by the latest version of OpenSSH and the ssh-keygen untility. If you are running a recent version of macOS, including Mojave. You will need to "downgrade" your id_rsa file using the folloing command in the Terminal app:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Now continue to set up Dreamweaver:

  • From the Dreamweaver site menu, select "Manage Sites":

  • Select the remote site connection you want to use SSH Keys with and then click the pencil icon underneath:

  • Next select "Servers" in left hand pane, and the existing server configuration to the right:

  • Configure as seen below, navigating to the ssh key file at /Users/[yourUserName]/.ssh/id_rsa
    ([yourUserName] is YOUR mac login name)

Given the large amounts of different Linux distributions there is no one guide that will work for all. You can use Steps 1-7 of the macOS Guide to generate your keys and publish them to Flip. From that point on you will need to use your FTP client of your choice.

For this you will need:

  • PuTTY (available here)
  • FileZilla (available here)

Steps

  1. Open up PuTTYGen, click "Generate," and follow the on-screen instructions
  2. Once the key is generated, you will need to save the public key

Save public key

Save it to a location you will be able to easily find it and name it id_rsa.pub

  1. Now you need to save the private key

Save public key

Ignore the warning about the passcode. Save it to the same location as before and name it id_rsa.ppk

  1. Using PuTTY, log onto access.engr.oregonstate.edu and enter your password when prompted
  2. You will be presented with a Duo two-factor prompt. Enter 1 and press enter. This will send a request to your Duo Mobile app which you will need to accept.

Duo prompt

  1. You are now logged onto access.engr.oregonstate.edu
  2. If the directory .ssh does not exist, execute the command mkdir .ssh followed by chmod 700 .ssh
  3. Use your favorite command text editor (mine is emacs) to open up ~/.ssh/authorized_keys which should be an empty file. If it does not exist, create it
  4. From the PuTTY Key Generator window copy the key as shown in the image below. Make sure you copy the entire string. 

Copy public key

  1. Back in the editor on access.engr.oregonstate.edu paste the copied public key and save the changes

Update authorized keys

  1. You now need to set permissions on the file.  In the putty window, type chmod 600 ~/.ssh/authorized_keys
  2. Back in PuTTY, you want to create a Saved Session you have not done so already
  3. In Host Name enter your_username@access.engr.oregonstate.edu

Enter host name

  1. Below in the Saved Sessions field enter flip and click Save

Save session name

  1. Click Connect->SSH->Auth->Credentials on the sidebar

  1. On this screen, Browse to the location of your private key file: id_rsa.ppk. Now click the Open Button at the bottom

  1. You should now be logged onto Flip without needing to provide a password OR two-factor authorization

SSH Key success

  1. Now we need to set up FileZilla
  2. Open FileZilla and go to File->Site Manager

Open Site Manager

  1. Create a New Site and name it "access"

Create new site

  1. To the right in the General Tab, Select SFTP for the Protocol and enter the Host as access.engr.oregonstate.edu

Enter host

  1. For Logon Type select Key file, enter your username for User, and then browse to the location of your `id_rsa.ppk' file.

Set user and load key

  1. Click Connect at the bottom and you should now be connected to Flip without the need of two-factor authentication!
Troubleshooting Guide
  1. Make sure you have enabled your Engineering account.
    If you have not, please do so here:  http://teach.engr.oregonstate.edu
  2. Make sure you have signed up for DUO.
    If not, please do so at https://duo.oregonstate.edu
  3. Make sure Putty is configured correctly (If Using Putty)
    Load your private key (not public key) as per step 14 & 16 in the Windows 10 guide
  4. Use your ONID username without @oregonstate.edu at the "login as:" prompt.
    Make sure that in your network home directory, your .ssh directory permission is set to 700 (drwx------) and the .ssh/authorized_keys file permission is 600 (-rw-------)