This is an old revision of the document!
Remote access via Duo
In addition to other forms of remote access, CS Techstaff provides multifactor SSH access to non-forward-facing hosts through the following pair of bastion (jump) hosts.
bastion1.cs.uchicago.edubastion2.cs.uchicago.edu
In order to attain access, CS Techstaff will require access to your SSH public key in order to install it on the jump servers. At no time will CS Techstaff ask for your private key. After this step has been completed, in order to access a host that is not directly connected to the Internet via one of the bastion hosts, you may do the following.
amcguire@Andrews-MacBook-Pro ~ % ssh -J bastion1.cs.uchicago.edu linux1.cs.uchicago.edu (amcguire@bastion1.cs.uchicago.edu) Duo two-factor login for amcguire Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-YYYY 2. Phone call to XXX-XXX-YYYY 3. SMS passcodes to XXX-XXX-YYYY Passcode or option (1-3): 1 Success. Logging you in... Last login: Mon Aug 25 00:57:26 2025 from 128.135.164.17 amcguire@focal1:~$
In the preceding, please observe that YYYY should be the last four digits of your telephone number that's been enrolled with Duo, while the -J option is used to specify that bastion1 is the proxy jump host used to "jump" to linux1. A similar result may be obtained via an entry in ~/.ssh/config such as the following.
amcguire@Andrews-MacBook-Pro ~ % cat .ssh/config Host linux1 HostName linux1.cs.uchicago.edu ProxyJump bastion1.cs.uchicago.edu
So that then all that needs to be done is
amcguire@Andrews-MacBook-Pro ~ % ssh linux1 (amcguire@bastion1.cs.uchicago.edu) Duo two-factor login for amcguire Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-YYYY 2. Phone call to XXX-XXX-YYYY 3. SMS passcodes to XXX-XXX-YYYY Passcode or option (1-3):
eliminating the need for the -J option.