Remote Work
IS&T provides MIT staff and affiliates with a selection of IT resources that can be leveraged to prepare for and facilitate remote working at MIT.
DUO MultiFactor Authentication Required
Beginning August 4th 2025 ssh access to CSAIL systems will require DUO MultiFactor Authentication (MFA)
This uses the same app as MIT DUO so most people will already have that set up. If you do not now is a good time to review their Knowledge Base article.
While we are using the same application (and under their license) CSAIL has a separate DUO instance with separate configuration.
Signing up for CSAIL DUO
Sign in to https://duo.csail.mit.edu/ and configure your preferences.
Minimizing Second Factor Prompts
The recommended CSAIL jump host configuration uses SSH Multiplexing such that you will only be prompted for DUO authentication when you first connect. So long as you maintain an open ssh session through the jump host DUO will not be required for subsequent connections through the jump hosts, even if they are to different endpoint hosts. After 30min with no open connections the multiplexing socket will time out and on the next connection you’ll again get a DUO prompt.
Testing Changes Now
Please do test this as soon as possible and email help@csail.mit.edu if you encounter any problems.
- Try it
ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu - Try configuring
mfa-jumpas your jump host- see Use the CSAIL jump host for SSH access replacing
jump.csail.mit.eduin the configuration for your Operating System withmfa-jump, note these examples are recently changed the new configs will work with both the new MFA systems and the current single factor systems but the old configs will not provide a good experience with MFA. Please review the examples even if you are currently using the TIG provide jump host for access. - connect again to
ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu. On 1st connection you should expect a DUO prompt. - Logout of
mfa-loginand reconnect. On 2nd and subsequent connections you should not be prompted for DUO. As configured in the example configs this will time out if you have no open ssh sessions for 30min.
- see Use the CSAIL jump host for SSH access replacing
- Attempt to go about your regular work with this config in place.
- If your group has systems you would specifically like to test with we can enable MFA ahead of schedule on select systems, just send a request to help@csail.mit.edu
SSH access restrictions
Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.
To SSH to systems from outside the CSAIL network it is strongly recommended that you Use the CSAIL jump host for SSH access as this by passes the firewall restriction and Minimizes DUO Prompts
It is also possible to bypass the firewall restriction using:
If the system you are connecting to inside the CSAIL is not running CSAIL Linux these methods are fine, however if you are connecting to a CSAIL Linux using one of these methods rather than the jump-host method will require DUO interaction on every ssh connection which is not a good experience.
Using SSH with the CSAIL Jump Host
TIG is supplying a dedicated jump host (separate from the login
servers) called jump.csail.mit.edu. This server is configured to
allow only proxy connections, not interactive logins.
Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.
Please see the applicable configuration options for your platform
{{% panel theme="info” header="NOTE:” %}}CSAIL Linux systems will not require additional configuration when this change is live, for testing you will need a custon ssh config{{% /panel %}}
Allowlist SSH server
If all else fails, or you have a server that:
- needs to allow ssh from outside the CSAIL network,
- is not on the guest (128.31.0.0/24) and
- has non-CSAIL users or some application restriction making it difficult to use a jump host configuration as shown above),
please open a ticket by sending mail to help@csail with the names
and IP addresses of the machines you’d like to register as ssh servers
and an explanation of the reason you need to have a firewall exception
made.
Note that the servers in question must have a static IP address assigned.
Additional documentation can be found elsewhere on this site
for physical servers
and OpenStack virtual machines.
Allowlist SSH server
If all else fails, or you have a server that:
- needs to allow ssh from outside the CSAIL network,
- is not on the guest (128.31.0.0/24) or W3C (128.30.52.0/22) network, and
- has non-CSAIL users or some application restriction making it difficult to use a jump host configuration as shown above),
please open a ticket by sending mail to help@csail with the names
and IP addresses of the machines you’d like to register as ssh servers
and an explanation of the reason you need to have a firewall exception
made.
Note that the servers in question must have a static IP address assigned.
Additional documentation can be found elsewhere on this site
for (physical servers)[/network-wireless/#requesting-a-static-ip-address]
and (OpenStack virtual machines)[/shared-computing/open-stack/network/#using-fixed-ip-addresses].