Using DUO with sftp and scp Sessions

On some Mines servers, you need to intiate a sftp (secure file transfer protocol) or scp (secure copy protocol) session using putty. If you are using DUO and have a phone enrolled, then you can follow the prompts to have DUO send a push, sms, or call the device. However for those users using a 2FA fob (either provided by Mines or personally owned) there are a few additional steps required as DUO doesn't directly support codes provided by the fob. 

ITS has developed the following workaround for initiating a sftp/scp session through PuTTY to authenticate using a 2FA Fob:

First, in your ssh client config - usually inside $HOME/.ssh/config - you need to set the value, "SendEnv DUO_PASSCODE"

To start an sftp/scp session with jumpbox, invoke like so:

$ DUO_PASSCODE=123456 sftp (replacing 123456 with the code generated by your fob)

Populate the DUO_PASSCODE environment variable with whatever code your hardware fob generated at this time. You should see it asks for your password, as normal (or if you have a key-pair setup then key-based authentication will happen), then it should correctly negotiate the Duo-challenge step using the inputted passcode (if you look at sftp with "-v" you'll see the entry, "debug1: Sending env DUO_PASSCODE = <passcode value>."

If you experience issues with this process, contact ITS by submitting a ticket here (


Article ID: 119461
Fri 10/30/20 11:29 AM
Fri 2/26/21 9:56 AM