Testing SSH MFA Client on CSAIL Ubuntu

To test upcoming ssh changes create the file ~/.ssh/config with the following contents:

HashKnownHosts yes
VerifyHostKeyDNS ask
CanonicalizeHostname always
CanonicalDomains csail.mit.edu

# all  CSAIL hosts use GSSAPI
Host *.csail.mit.edu 128.52.* 128.30.*
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes

# jumps reuse existing connections to minimize DUO prompting
# note "ControlPath" must exist and cannot be in AFS
# /afs/csail.mit.edu/system/common/etc/profile.csail  (and friends) does this on 
# CSAILLinux systems
#
# NOTE: if you are on a laptop or other systems that switches 
# networks the Control Socket will need to be manually removed
# in order for it to get recreated on the new network:
#
# rm /run/user/%i/cm_socket/*
#
# The symptom is new ssh session hanging prior to connection
# It is always safe to run this command though it will require 
# Duo auth on re-establish the connection.
Host mfa-jump.csail.mit.edu jump.csail.mit.edu
  ControlMaster auto
  ControlPersist 1800
  ControlPath /run/user/%i/cm_socket/%C

# CSAIL hosts except jumphosts get GSSAPIDelegateCredentials for AFS
Host *.csail.mit.edu  !mfa-jump.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump mfa-jump.csail.mit.edu
  GSSAPIDelegateCredentials yes
  ForwardAgent yes

# if you ssh to ATHENA systems
# uncomment the lines below
# and edit to include your ATHENA Username
#Host !*.csail.mit.edu *.mit.edu
#  User <ATHENA UserName>
#  GSSAPIAuthentication yes
#  GSSAPIDelegateCredentials yes
#  GSSAPIKeyExchange yes