If you connect to a remote host that requires multi-factor authentication (MFA), many transfer applications will require your second factor for every connection opened by your transfer application.  Applications that are setup by default to enable multiple connections, include but are not limited to: FIlezilla, Cyberduck and MobaXterm.  Settings exist in each of these applications which can be changed to correct the multiple authentication request problem, at the expense of possibly higher transfer performance.  Generally, for systems that do require DUO or other MFA schemes also have lockouts applied to the number of failed or timed out attempts to authenticate against a second factor.  If you fail to respond multiple times in a row to DUO push requests, a DUO lock is placed against your UH account until either the ITS helpdesk unlocks your account or your account is automatically unlocked after some duration of time.  While accounts are automatically unlocked after some amount of time, contacting the ITS helpdesk is the fastest way to resolve a DUO lockout.  Below we cover the changes that need to be done to Filezilla, Cyberduck and MobaXterm in order to not get you locked out of DUO.  We also mention a few other alternate transfer methods that do not have this particular problem.

Cyberduck

Once installed be sure to set File Transfer settings to "Use browser connection" to avoid having to authenticate each time you want to transfer a file.

Image and instructions originally from https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/Duo_and_3rd_Party_Clients#Cyberduck_SFTP

Alternate sites with similar information: 

https://kb.iu.edu/d/atvp

Filezilla

FileZilla, another popular SFTP GUI, is available for Windows, Mac OS X, and Linux. It also works well with DUO two-factor auth, however, you must choose some non-default options (outlined below) in order to have the best experience with your file transfers.

If you utilize Filezilla in its default configuration you may see the following error:

Error: Server sent an additional login prompt: You need to use the interactive login type.

Error: Critical error: Could not connect to server

How to correctly configure FileZilla to work with two factor authentication like DUO:

1. Launch FileZilla and select Open the Site Manager.   Do not use the Quickconnect option.

2. From the Site Manager, create a new site.     

3. Name the new site to something that represents the system that this connection is for

   On the General tab, specify the following:

   • Protocol: SFTP – SSH File Transfer Protocol

   • Host: The destination server hostname, e.g. koa.its.hawaii.edu

   • Logon Type: Interactive

   • User:  This can be left blank          

4. On the Transfer Settings tab, CHECK the box for Limit number of simultaneous connections and set the Maximum number of connections to 1.

5. Select Connect to connect to the server immediately, or OK to save the connection for later. 

6. When a connection to this server is initiated, you are prompted for your username and then your password.

7.  You are then prompted for a Duo two-factor authentication method.

   In the resulting Password box, enter:              
   1 for a Duo Push
   2 for a Duo Phone Call
   3 for a Duo SMS
   A six-digit Duo passcode                 

8. Accept the second-factor authentication on your Duo device (unless you are using a passcode).

9. You should now be connected.

Instructions copied from:

https://unm-student.custhelp.com/app/answers/detail/a_id/7857/~/filezilla-ftp-configuration-for-duo-mfa-protected-linux-servers

https://urc.uncc.edu/faqs/how-do-i-transfer-data-tofrom-cluster

https://www.nics.tennessee.edu/computing-resources/data-transfer#filezilla

MobaXterm

Open MobaXterm and click on the 'Settings' button, or Settings >> Configuration from the top menu bar. 

In the SSH configuration tab an option for 'Use SFTP browser (remote browser in sidebar)', which is checked on by default. If you do not wish to create a parallel SFTP connection for each session you start, or if you are not using a smartphone with Duo, simply uncheck this box.  In newer versions of MobaXterm you may also need to edit the advance session settings for SSH, and switch "SSH-browser type" to None to disable the file directory tree view.  Otherwise, expect that at least each time you change directories, you will need to respond to a MFA/DUO request.

Original instructions and images taken from https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/Mobaxterm

Alternate Transfer methods

SCP

While scp will still do a silent DUO push to your primary device, but it does not initiate multiple connections so it does not have the same problems as the tools we covered above. 

https://linux.die.net/man/1/scp

Transmit

Another transfer tool that will attempt to silently make multiple connections.  To fix this, the number of allowed server connections (Limit Connections) must be to set to 1

https://help.panic.com/transmit/transmit5/preferences/#advanced-server-settings

Globus 

Globus utilizes CI-Logon and the UH gold screen to authenticate users, which is the only time you will need to present your two factors of authentication.  Globus will then authenticate all transfers for a period of time using a token that is granted by passing any additional authentication to access your storage on Koa.

/wiki/spaces/HPC/pages/9339095

Open OnDemand

Open OnDemand uses UH Login, so once a user is connected to the site, file transfers would be performed by the browser.  As a result, file transfers would not require additional DUO authentications beyond the one that was needed to connect to Open OnDemand.

Open OnDemand for Koa is located at https://koa.its.hawaii.edu/.

Our documentation about our instance of Open OnDemand is found here /wiki/spaces/HPC/pages/9339349, although the references to Mana are out of date much of the content applies to the active Koa instance.