Using Duo with sftp and scp Sessions

Summary

How to initiate and authenticate using Duo a sftp/scp session

Body

On some Mines servers, you need to initiate a sftp (secure file transfer protocol) or scp (secure copy protocol) session using putty. If you are using Duo and have a phone enrolled, then you can follow the prompts to have Duo send a push, sms, or call the device. However for those users using a 2FA fob (either provided by Mines or personally owned) there are a few additional steps required as Duo doesn't directly support codes provided by the fob. 

IT has developed the following workaround for initiating a sftp/scp session through PuTTY to authenticate using a 2FA Fob:

First, in your ssh client config - usually inside $HOME/.ssh/config - you need to set the value, "SendEnv DUO_PASSCODE"

To start an sftp/scp session with jumpbox, invoke like so:

$ DUO_PASSCODE=123456 sftp jumpbox.mines.edu (replacing 123456 with the code generated by your fob)

Populate the DUO_PASSCODE environment variable with whatever code your hardware fob generated at this time. You should see it asks for your password, as normal (or if you have a key-pair setup then key-based authentication will happen), then it should correctly negotiate the Duo-challenge step using the inputted passcode (if you look at sftp with "-v" you'll see the entry, "debug1: Sending env DUO_PASSCODE = <passcode value>."

 

Details

Details

Article ID: 119461
Created
Fri 10/30/20 1:29 PM
Modified
Thu 8/15/24 7:45 PM