Authentication With MFA

From UFRC
Revision as of 19:50, 14 March 2023 by Israel.herrera (talk | contribs)
Jump to navigation Jump to search

UF is a high-value target for attacks designed to steal research data and intellectual discoveries. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials, such as your mobile device. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate.

How Does This Change the User Experience?

Users will see a text menu asking them to select an MFA method as the second step during SSH authentication. Available methods are based on what you have configured in the My Two-Factor page . Anyone who has used other UF services, like myUFL or ONE.UF, will be familiar with this process. In short, you can either enter a Duo code, or select one of the menu options to proceed with that choice.

The short video here demonstrates the process of logging in with an ssh client using a password. After the password is entered, the terminal prompts for a Duo passcode (e.g. 6-digit code from a token or Duo application) or allows you to select from one of your pre-configured MFA options using a numerical selection.

You will need to sign up for Duo Authentication.

Using MFA with GUI SFTP Programs

We recommend using WinSCP, Bitvise, or Cyberduck SFTP clients. Bitvise is a 'FastPass' approved application to open any sensitive data at UF.

  • WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses SSH Multiplexing automatically, so you can both perform SFTP transfers and open a terminal in the same ssh session without having to re-authorize.
  • For CyberDuck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences:
    Screenshot of the CyberDuck options to use Browser Connection
    • From the Edit menu > Preferences > Transfers > General. Then select "Use browser connection" from the drop down menu

Connecting via Terminal to the Command Line

If you are using username/password authentication to connect your terminal to the HiPerGator command line then the process does not change much from what it was before, as documented in Getting_Started#Connecting_to_HiPerGator After you authenticate with your GatorLink Password you will then be prompted for Duo two-factor authentication. The entire session should look like this:

Expand this section to view example session.

 Using username "GatorLinkUsername".
 Using keyboard-interactive authentication.
 Password:
 Using keyboard-interactive authentication.
 Duo two-factor login for GatorLinkUsername@ufl.edu 
 Enter a passcode or select one of the following options:
  1. Duo Push to XXX-XXX-1234
  2. Phone call to XXX-XXX-1234
 Passcode or option (1-2): 
 Success. Logging you in...

How can I use SSH keys for authentication?

See the guide for setup at SSH Keys. After this, you won't require password, but will still be prompted for Duo MFA as above.

Using SSH Keys with SFTP clients

Using SSH Multiplexing to reduce the number of MFA authentications needed

One strategy to reduce the number of times that you need to authenticate using MFA is to use SSH Multiplexing. This opens one connection, which requires an MFA authentication, and then other connections are made through that initial connection. These additional connections do not require MFA.

Please see the details of SSH Multiplexing configuration on this page.

Common Errors

Attempting to use SSH Key Authentication, without setting port 2222

Without the proper port being specified you will be connected to a login server which will ignore your SSH Key. You will be prompted for a password, but depending on your terminal client and configuration you might not see that prompt. Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually you may see 'Connection reset by peer' when trying to log in.

Solution: ensure that you're specifying the correct port for SSH Key Authentication as specified above. If you're receiving the 'Connection reset by peer' error message you will need to open a Support Request to ask that your HiPerGator user account be unblocked.

Attempting to use SSH Key Authentication, 2222 connects but without SSH Key

This is the opposite case to the above issue, in that you're now connecting to a login host which is expecting an SSH Key file but never sending one. A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to "Server sent: public key"

Solution: Ensure that your connection command line or SSH config file are correct as per the above sections, and that you really do intend to use SSH Key Authentication instead of manually typing a password. If so, then please refer to Using_SSH_Keys_To_Access_HPG and/or open a Support Request for assistance with setting up SSH Key Authentication.

Attempting to log in without having enrolled in MFA

Upon login you'll receive an error stating "Not Enrolled".

Solution: Please see the section above: "What if I Don't have Duo MFA Enabled?". You will need to sign up for Duo Authentication. There is a minimal chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication then open a Support Request stating that you're receiving the 'Not Enrolled' error when trying to log in.