Versions Compared

Old Version 21

changes.mady.by.user davidls

Saved on

compared with

New Version 22

changes.mady.by.user davidls

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

If you connect to a remote host that requires multi-factor authentication (MFA), many transfer applications will require your second factor for every connection opened by your transfer application.  Applications that are setup by default to enable multiple connections, include but are not limited to: FIlezilla, Cyberduck and MobaXterm.  Settings exist in each of these applications which can be changed to correct the multiple authentication request problem, at the expense of possibly higher transfer performance.  Generally, for systems that do require DUO or other MFA schemes also have lockouts applied to the number of failed or timed out attempts to authenticate against a second factor.  If you fail to respond multiple times in a row to DUO push requests, a DUO lock is placed against your UH account until either the ITS helpdesk unlocks your account or your account is automatically unlocked after some duration of time.  While accounts are automatically unlocked after some amount of time, contacting the ITS helpdesk is the fastest way to resolve a DUO lockout.  Below we cover the changes that need to be done to Filezilla, Cyberduck and MobaXterm in order to not get you locked out of DUO.  We also mention a few other alternate transfer methods that do not have this particular problem.

...

Table of Contents

...

Cyberduck

Once installed be sure to set File Transfer settings to "Use browser connection" to avoid having to authenticate each time you want to transfer a file.

...

Alternate sites with similar information: 

https://kb.iu.edu/d/atvp

Filezilla

FileZilla, another popular SFTP GUI, is available for Windows, Mac OS X, and Linux. It also works well with DUO two-factor auth, however, you must choose some non-default options (outlined below) in order to have the best experience with your file transfers.

...

  1. Launch FileZilla and select Open the Site Manager.   
  2. From the Site Manager, create a new site.     
  3. Name the new site to something that represents the system that this connection is for

    On the General tab, specify the following:
    • Protocol: SFTP – SSH File Transfer Protocol
    • Host: The destination server hostname, e.g. koa.its.hawaii.edu
    • Logon Type: Interactive
    • User:  This can be left blank          
  4. On the Transfer Settings tab, CHECK the box for Limit number of simultaneous connections and set the Maximum number of connections to 1.
  5. Select Connect to connect to the server immediately, or OK to save the connection for later. 
  6. When a connection to this server is initiated, you are prompted for your username and then your password.
  7.  You are then prompted for a Duo two-factor authentication method.

    In the resulting Password box, enter:                  
    1 for a Duo Push
    2 for a Duo Phone Call
    3 for a Duo SMS
    A six-digit Duo passcode                 
  8. Accept the second-factor authentication on your Duo device (unless you are using a passcode).
  9. You should now be connect.



MobaXterm

Open MobaXterm and click on the 'Settings' button, or Settings >> Configuration from the top menu bar. 

...

Original instructions and images taken from https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/Mobaxterm

Alternate Transfer methods

SCP

While scp will still do a silent DUO push to your primary device, but it does not initiate multiple connections so it does not have the same problems as the tools we covered above. 

https://linux.die.net/man/1/scp

Transmit

Another transfer tool that will attempt to silently make multiple connections.  To fix this, the number of allowed server connections (Limit Connections) must be to set to 1

https://help.panic.com/transmit/transmit5/preferences/#advanced-server-settings

Globus 

Globus utilizes CI-Logon and the UH gold screen to authenticate users, which is the only time you will need to present your two factors of authentication.  Globus will then authenticate all transfers for a period of time using a token that is granted by passing any additional authentication to access your storage on Koa.

/wiki/spaces/HPC/pages/9339095


Info

Globus will no longer work once you leave the university (graduate, or leave employment).  CI-Logon depends on certain attributes that once you are not affiliated with the university, are no longer exported from UH authentication.

Open OnDemand

Open OnDemand uses UH Login, so once a user is connected to the site, file transfers would be performed by the browser.  As a result, file transfers would not require additional DUO authentications beyond the one that was needed to connect to Open OnDemand.

Open OnDemand for Koa is located at https://koa.its.hawaii.edu/.

Our documentation about our instance of Open OnDemand is found here /wiki/spaces/HPC/pages/9339349, although the references to Mana are out of date much of the content applies to the active Koa instance.

Info

Open OnDemand has a limitation on how large a file upload that a user can perform.  The maximum file size that a user can use when uploading files through the instance of Open OnDemand associated with Mana is 5GB.

...