Two-factor authentication is becoming a security standard for large organizations. Many of you are already accustomed to using Duo to authenticate when using Box, WebEx or OSU Google GSuite apps.

In order to help ensure a more secure network, two-factor authentication is now required for logging into OSU Engineering servers for terminal or SFTP access.

This can cause problems for those not using an interactive terminal session, as there is an additional prompt that requires a response and the connection fails silently.

We can bypass the need for DUO authentication by setting up SSH Keys for our applications that use SFTP

Creating SSH Keys for Windows

 

 

Creating SSH Keys for macOS

 

Operating Specific Setup Guides (Text)

For this you will need:

  • PuTTY (available here)
  • FileZilla (available here)

Steps

  1. Open up PuTTYGen, click "Generate," and follow the on-screen instructions
  2. Once the key is generated, you will need to save the public key

Save public key

Save it to a location you will be able to easily find it and name it id_rsa.pub

  1. Now you need to save the private key

Save public key

Ignore the warning about the passcode. Save it to the same location as before and name it id_rsa.ppk

  1. Using PuTTY, log onto access.engr.oregonstate.edu and enter your password when prompted
  2. You will be presented with a Duo two-factor prompt. Enter 1 and press enter. This will send a request to your Duo Mobile app which you will need to accept

Duo prompt

  1. You are now logged onto access.engr.oregonstate.edu
  2. If the directory .ssh does not exist, execute the command mkdir .ssh followed by chmod 700 .ssh
  3. Use your favorite command text editor (mine is emacs) to open up ~/.ssh/authorized_keys which should be an empty file. If it does not exist, create it
  4. From the PuTTY Key Generator window copy the key as shown in the image below. Make sure you copy the entire string. 

Copy public key

  1. Back in the editor on access.engr.oregonstate.edu paste the copied public key and save the changes

Update authorized keys

  1. You now need to set permissions on the file.  In the putty window, type chmod 600 ~/.ssh/authorized_keys
  2. Back in PuTTY, you want to create a Saved Session you have not done so already
  3. In Host Name enter your_username@access.engr.oregonstate.edu

Enter host name

  1. Below in the Saved Sessions field enter flip and click Save

Save session name

  1. Click Connect->SSH->Auth on the sidebar

Open Connection

  1. On this screen, Browse to the location of your private key file: id_rsa.ppk. Now click the Open Button at the bottom

Load private key

  1. You should now be logged onto Flip without needing to provide a password OR two-factor authorization

SSH Key success

  1. Now we need to set up FileZilla
  2. Open FileZilla and go to File->Site Manager

Open Site Manager

  1. Create a New Site and name it "access"

Create new site

  1. To the right in the General Tab, Select SFTP for the Protocol and enter the Host as access.engr.oregonstate.edu

Enter host

  1. For Logon Type select Key file, enter your username for User, and then browse to the location of your `id_rsa.ppk' file.

Set user and load key

  1. Click Connect at the bottom and you should now be connected to Flip without the need of two-factor authentication!
  1. Launch the mac terminal.app (/Applications/Utilities/Terminal.app

 

  1. At the command line prompt, type ssh-keygen -t rsa
  2. You will then be asked to choose a save location for the keys. You can choose the default by pressing enter. Then hit enter two more times to skip creating a passcode
  3. Still in the terminal, type ssh-copy-id -i ~/.ssh/id_rsa.pub your_username@access.engr.oregonstate.edu. This will publish your public key to the engineering servers.
  4. When prompted enter your password
  5. You should now see the two-factor Duo authentication. Enter 1 to send a push to your Mobile Duo app
  6. Test your SSH Keys by typing ssh access.engr.oregonstate.edu at the terminal command line prompt. If successful, you will connect without having to enter a password or do two-factor authentication!

Using your SSH Keys with Cyberduck (https://cyberduck.io/)

  • Launch Cyberduck and click the Open Connection button
  • Set  connection type to  `SFTP` in the dropdown menu
  • Set the server to "access.engr.oregonstate.edu"
  • Enter your ONID username 
  • Do not enter a password and change SSH Private Key from `none` to the location of your `id_rsa` file. If you followed the default settings it should already be listed without needing to browse
  • Finally click the Connect button and you will be logged in without the need for a password or 2-factor authentication

Using your SSH Keys with Adobe Dreamweaver

Dreamweaver does not like the the SSH Key format generated by the latest version of OpenSSH and the ssh-keygen untility. If you are running a recent version of macOS, including Mojave. You will need to "downgrade" your id_rsa file using the folloing command in the Terminal app:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Now continue to set up Dreamweaver:

  • From the Dreamweaver site menu, select "Manage Sites":

  • Select the remote site connection you want to use SSH Keys with and then click the pencil icon underneath:

  • Next select "Servers" in left hand pane, and the existing server configuration to the right:

  • Configure as seen below, navigating to the ssh key file at /Users/[yourUserName]/.ssh/id_rsa
    ([yourUserName] is YOUR mac login name)

Given the large amounts of different Linux distributions there is no one guide that will work for all. You can use Steps 1-10 of the macOS Guide to generate your keys and publish them to Flip. From that point on you will need to use your FTP client of your choice.

Troubleshooting Guide
  1. Make sure you have enabled your Engineering account.
    If you have not, please do so here:  http://teach.engr.oregonstate.edu
  2. Make sure you have signed up for DUO.
    If not, please do so at https://duo.oregonstate.edu
  3. Make sure Putty is configured correctly (Windows)
    Load your private key (not public key) as per step 13 & 14 in the Windows guide
  4. Use your ONID username without @oregonstate.edu at the "login as:" prompt.
    Make sure that in your network home directory, your .ssh directory permission is set to 700 (drwx------) and the .ssh/authorized_keys file permission is 600 (-rw-------)