Skip to main content

SSH MFA Setup

The GRIT ssh bastion host is heimdall.grit.ucsb.edu / ssh.grit.ucsb.edu. It is set to force TOTP MFA authentication via the google authenticator package. All ssh logins from non-campus IPs will be forced to enter a 6 digit TOTP MFA code in addition to your password. From campus IPs ssh key or password authentication is permitted.

MFA Setup

The first ssh log in to heimdall will prompt the user to setup a TOTP MFA app.

screenshot_from_2023-02-06_22-21-01.png

Using the Google Authenticator App:

  • select the + button in the bottom right
  • select scan a QR code or if the phone does not have a camera select enter a setup key and enter the secret key below the QR code
  • enter the 6 digit code generated by the app

Using the DUO App:

  • Select +Add in the top right
  • select Use QR code
  • scan the QR code generated by the terminal session
  • select next in the app
  • select next in the app and enter an account name
  • if prompted select the option to enable backup
  • enter a password and select next
  • enter next again
  • enter the 6 digit code generated by the app in the terminal session
  • copy the 5 emergency codes generated to a secure accessible location like nextcloud or google drive

 

Resetting an MFA token

From a Campus IP

If the user is able to come in via a campus IP or VPN then they can login with just their AD username and password or ssh key:

  • log in to the account and run
google-authenticator
  • select Y to enable time-based tokens
  • follow the MFA setup steps from the section above

Without User Login

If the user is unable to log in from a campus IP or VPN:

  • ssh into heimdall as a user with sudo privilidges
  • navigate to the user's home directory
  • ls -alh (to show hidden files - All, List, Human readable) 
  • delete the .google_authenticator file
  • have the user log in and setup their MFA following the steps above

SFTP via Bastion

MacOS

Open up a terminal window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.

Windows 10+

Open a PowerShell window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.

Linux

Open up a terminal window and enter the following command

ssh -L 3311:<hostname.fqdn.com>:22 <username>@ssh.grit.ucsb.edu

when prompted enter your domain credentials and dual factor code open your preferred file transfer utility and enter localhost as the server and port 3311, then use your domain credentials as normal.