Skip to main content

SSH MFA Setup

The GRIT ssh bastion host is heimdall.grit.ucsb.edu / ssh.grit.ucsb.edu. It is set to force TOTP MFA authentication via the google authenticator package. All ssh logins from non-campus IPs will be forced to enter a 6 digit TOTP MFA code in addition to your password. From campus IPs ssh key or password authentication is permitted.

MFA Setup

The first ssh log in to heimdall will prompt the user to setup a TOTP MFA app.

screenshot_from_2023-02-06_22-21-01.png

Using the Google Authenticator App:

  • select the + button in the bottom right
  • select scan a QR code or if the phone does not have a camera select enter a setup key and enter the secret key below the QR code
  • enter the 6 digit code generated by the app

Using the DUO App:

  • Select +Add in the top right
  • select Use QR code
  • scan the QR code generated by the terminal session
  • select next in the app
  • select next in the app and enter an account name
  • if prompted select the option to enable backup
  • enter a password and select next
  • enter next again
  • enter the 6 digit code generated by the app in the terminal session
  • copy the 5 emergency codes generated to a secure accessible location like nextcloud or google drive

SFTP via Bastion

MacOS

Open up a terminal window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.

Windows 10+

Open a PowerShell window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.

Linux

Open up a terminal window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.

Back to top