Remote access via Duo
In addition to other forms of remote access, CS Techstaff provides multifactor SSH access to non-forward-facing hosts through the following pair of bastion (jump) hosts.
bastion1.cs.uchicago.edubastion2.cs.uchicago.edu
In order to access CS systems, a CS account is required. In order to access a host that is not directly connected to the Internet via one of the bastion hosts, you may do the following, typing in your CnetID account password at the prompt.
amcguire@Andrews-MacBook-Pro ~ % ssh -J bastion1.cs.uchicago.edu linux1.cs.uchicago.edu (amcguire@bastion1.cs.uchicago.edu) Password: (amcguire@bastion1.cs.uchicago.edu) Duo two-factor login for amcguire Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-YYYY 2. Phone call to XXX-XXX-YYYY 3. SMS passcodes to XXX-XXX-YYYY Passcode or option (1-3): 1 Success. Logging you in... Last login: Thu Aug 28 17:21:05 2025 from 128.135.24.34 amcguire@focal1:~$
In the preceding, please observe that YYYY should be the last four digits of your telephone number that's been enrolled with Duo, while the -J option is used to specify that bastion1 is the proxy jump host used to "jump" to linux1. A similar result may be obtained via an entry in ~/.ssh/config such as the following.
amcguire@Andrews-MacBook-Pro ~ % cat .ssh/config Host linux1 HostName linux1.cs.uchicago.edu ProxyJump bastion1.cs.uchicago.edu
So that then all that needs to be done is
aamcguire@Andrews-MacBook-Pro ~ % ssh linux1 (amcguire@bastion1.cs.uchicago.edu) Password: (amcguire@bastion1.cs.uchicago.edu) Duo two-factor login for amcguire Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-YYYY 2. Phone call to XXX-XXX-YYYY 3. SMS passcodes to XXX-XXX-YYYY Passcode or option (1-3):
eliminating the need for the -J option.