Skip to content

Authentication With MFA

UF is a high-value target for attacks designed to steal research data and intellectual discoveries. Since adopting multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts. MFA prevents unauthorized access to your HiPerGator account by requiring a second authentication method in addition to your GatorLink credentials, such as your mobile device. A malicious agent - whether a person or an automated mechanism - trying to compromise your account is far less likely to gain access to both the knowledge of your credentials and the physical factor necessary to authenticate. You can sign up for and manage your Duo Authentication settings on the UFIT Duo page.

Connecting via Terminal to the Command Line

If you are using username and password authentication to connect your terminal to the HiPerGator command line the process is documented in Connecting to HiPerGator. After you authenticate with your GatorLink password, you will then be prompted for Duo two-factor authentication.

For an example username, "GatorLinkUsername", the process is illustrated below. The options available to select from are configured on the UFIT Duo page. You can also enter a 6-digit passcode from a hardware token or the Duo application.

Using username GatorLinkUsername
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Duo two-factor login for GatorLinkUsername@ufl.edu

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-1234
2. Phone call to XXX-XXX-1234

Passcode or option (1-2): 1
Success. Logging you in...

See also the videos on connecting with SSH from Windows or MacOS

Using MFA with Graphical SFTP Programs

We recommend using WinSCP, Bitvise, or Cyberduck SFTP clients. Bitvise and Cyberduck are 'Fast Path' approved applications for open and sensitive data at UF. WinSCP is approved for open data.

  • WinSCP, Bitvise and Cyberduck work with Duo 2FA out of the box. Bitvise uses SSH Multiplexing automatically, so you can both perform SFTP transfers and open a terminal in the same SSH session without having to re-authorize.
  • For Cyberduck, to use password-based authentication and only require one MFA push per session (rather than for each file) change the preferences: Screenshot of the Cyberduck preference panel to set the option to Use browser connection
    • From the Edit menu > Preferences > Transfers > General. Then select "Use browser connection" from the drop-down menu.

How can I use SSH keys for authentication?

See the guide for setup at SSH keys. Once configured, you won't need to enter a password but you will still be prompted for Duo MFA as above.

Using SSH Keys with SFTP clients

Using SSH Multiplexing to reduce the number of MFA authentications needed

One strategy to reduce the number of times that you need to authenticate using MFA is to use SSH Multiplexing. This opens one connection, which requires an MFA authentication, and then other connections are made through that initial connection. These additional connections do not require MFA.

Please see the details of SSH Multiplexing configuration on this page.

Common Errors

Attempting to use SSH Key Authentication without setting port 2222

Without the proper port being specified, you will be connected to a login server which will ignore your SSH Key. You will be prompted for a password, but depending on your terminal client and configuration, you might not see that prompt. Eventually, multiple failures of the password login will lead to our security software blocking your client due to too many incorrect password attempts, and eventually, you may see Connection reset by peer when trying to log in.

Solution: ensure that you are specifying the correct port for SSH Key Authentication, port 2222.

If you are receiving the Connection reset by peer error message, you will need to wait a few minutes, and your account should be automatically unlocked.

Attempting to use Password Authentication but Specifying Port 2222

This is the opposite case to the above issue, in that you're now connecting to a login host that is expecting an SSH key file but never sending one. A number of invisible errors will happen behind the scenes, and you will eventually see an error message similar to Server sent: public key.

Solution: ensure that your connection command line or SSH config file are correct. If you need help, open a support request for assistance with setting up SSH Key Authentication.

Attempting to log in without having enrolled in MFA

Upon login you'll receive an error stating "Not Enrolled".

Solution: you will need to sign up for Duo Authentication. There is a chance that a misconfiguration in our system could be producing this error, so if you are certain that your GatorLink account has been signed up for Duo Authentication, open a support request stating that you're receiving the 'Not Enrolled' error when trying to log in.