Computer Systems Lab
Connecting & Supporting the Computer Sciences Department
Duo Multi-Factor Authentication for CSL Linux Computers

Duo Multi-Factor Authentication for CSL Linux Computers

Summary

  • Duo MFA will be implemented on all supported Ubuntu Linux computers effective Tuesday, March 16 2021
  • Use the VPN to reduce the number of Duo authentications required
  • No additional Duo configuration will be required

Duo MFA on CSL Ubuntu Linux Computers Starting March 16, 2021

The CSL is implementing Duo MFA for Linux computers to improve security while providing the least intrusive experience for our faculty, staff, and students.

CSL Duo authentication will use the same Duo NetID authentication already in use for UW websites, and will not require additional authentication tokens or Duo configuration.

Duo authentication will be required for all faculty, staff, and students in the following use cases on CSL Ubuntu Linux computers:

  • Any SSH connection that prompts for a password, except for sessions using the CS Department VPN (which already requires Duo MFA). Passwordless SSH sessions from one CSL host to another will not require additional Duo authentication (these sessions use GSSAPI to forward a session credential).
  • SCP (secure copy) sessions will also require Duo authentication, we recommend using the VPN in those situations.
  • Any login screen that prompts for a password, except for Remote Desktop which requires the VPN.
  • Screen locks that prompt for a password will honor a 12-hour “remember me” function, and only require Duo authentication if the session is more than 12 hours old.

Notes:

  • Sessions using the CS Department VPN will not require additional Duo MFA. This is recommended if you use multiple SSH sessions, to reduce the number of Duo MFA prompts.
  • Red Hat/CentOS systems are being upgraded to Ubuntu, so Duo has not been implemented on Red Hat/CentOS systems.
  • We can only enforce Duo MFA for people who are eligible for the Duo service (faculty, staff, and students). We are working with DoIT to resolve this mismatch between licensing restrictions and security requirements. If this cannot be resolved, we may have to implement a second MFA system for people who are not eligible for Duo.

Background

UW-Madison implemented Duo Multi-Factor Authentication (MFA) for web-based NetID authentication in 2019. UW System policy and the revised UW-Madison credential policy require MFA for all authentication systems, but this has not yet been widely implemented beyond the web-based NetID authentication. Recent UW System directives also require improved security for remote access.

Specific client issues

  • SecureCRT: in the properties of your saved session, under Connection -> SSH2, verify that ‘Keyboard Interactive’ is at the top of the ‘Authentication’ box.
  • MobaXterm: in the settings of your saved session, on the Advanced SSH Settings tab, switch SSH-browser type from SFTP to SCP (enhanced).