Navigation :

Setting up SSH on MacOS

Using SSH on MacOS

DUO MultiFactor Authentication Required

Beginning August 4th 2025 ssh access to CSAIL systems will require DUO MultiFactor Authentication (MFA)

This uses the same app as MIT DUO so most people will already have that installed and set up. If you do not now is a good time to review their Knowledge Base article.

While we are using the same application (and under their license) CSAIL has a separate DUO instance with separate configuration.

Signing up for CSAIL DUO

Minimizing Second Factor Prompts

The recommended CSAIL jump host configuration uses SSH Multiplexing such that you will only be prompted for DUO authentication when you first connect. So long as you maintain an open ssh session through the jump host DUO will not be required for subsequent connections through the jump hosts, even if they are to different endpoint hosts. After 30min with no open connections the multiplexing socket will time out and on the next connection you’ll again get a DUO prompt.

Dealing with “problem” clients and workflows

IDEs (VScode, Cursor, PuTTY, etc) and other interactive tools that use SSH

Many integrated development environments (IDE’s) and other tools that use SSH behind the scenes provide poor or no UI to deal with entering a second factor. If you follow the Minimizing Second Factor Prompts instructions above and manually ssh to any CSAIL host before using the problematic tool it won’t need a second factor to connect and everything should function noramally.

Automated non-interactive processes

TIG can create configuration exceptions for internal cluster communications and exceptions for limited scope system accounts using SSHKey authentication. This is not self-service and requires a security review and custom configuration.

Please contact help@csail.mit.edu to arrange for custom configuration and testing as soon as possible to ensure a smooth transition

Testing Changes Now

Please do test this as soon as possible and email help@csail.mit.edu if you encounter any problems.

ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu

If you are prompted for Duo two-factor login for [user] you are already enrolled in DUO. Continue to step 2.
If you get the message Please enroll at... follow the link to enroll

Try configuring mfa-jump as your jump host

Create or edit a ~/.ssh/config for your client as desribed under Use the CSAIL jump host for SSH access replacing jump.csail.mit.edu in the configuration for your Operating System with mfa-jump.csail.mit.edu, Note these examples are recently changed. The new configs will work with both the new MFA systems and the current single factor systems, but the old configs will not provide a good experience with MFA. Please review the examples even if you are currently using the TIG provide jump host for access.
connect again to ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu. On 1st connection you should expect a DUO prompt.
Logout of mfa-login and reconnect. On 2nd and subsequent connections you should not be prompted for DUO. As configured in the example configs this will time out if you have no open ssh sessions for 30min.

Attempt to go about your regular work with this config in place.
If your group has systems you would specifically like to test with we can enable MFA ahead of schedule on select systems, just send a request to help@csail.mit.edu

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network it is strongly recommended that you Use the CSAIL jump host for SSH access as this by passes the firewall restriction and Minimizes DUO Prompts

It is also possible to bypass the firewall restriction using:

If the system you are connecting to inside the CSAIL is not running CSAIL Linux these methods are fine, however if you are connecting to a CSAIL Linux using one of these methods rather than the jump-host method will require DUO interaction on every ssh connection which is not a good experience.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

{{% panel theme="info” header="NOTE:” %}}CSAIL Linux systems will not require additional configuration when this change is live, for testing you will need a custon ssh config{{% /panel %}}

Configuring CSAIL SSH via Jump Host for Mac OS 14+

Up Coming Change:

To test your readiness for upcoming ssh changes replace jump.csail.mit.edu in the configuration example with mfa-jump.csail.mit.edu

If you had previously configured using a jump host note that this configuration has recently changed and step 2 below for creating the control socket directory is new

Two Steps are required

Place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config).
Create the directory ~/.ssh/cm_socket either through the Finder or by opening a terminal and running mkdir ~/.ssh/cm_socket

This configuration will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication

HashKnownHosts yes
VerifyHostKeyDNS ask
CanonicalizeHostname always
CanonicalDomains csail.mit.edu

# all  CSAIL hosts use GSSAPI
Host *.csail.mit.edu 128.52.* 128.30.*
  GSSAPIAuthentication yes
  # If you have a different local username uncomment the following line
  # and fill in your CSAIL UserName
  # User <CSAIL UserName>

# jumps reuse existing connections to minimize DUO prompting
# "ControlPath" must exist and cannot be in AFS
#
# NOTE: if you are on a laptop or other systems that switches 
# networks the Control Socket will need to be manually removed
# in order for it to get recreated on the new network:
#
# rm ~/.ssh/cm_socket/*
#
# The symptom is new ssh session hanging prior to connection
# It is always safe to run this command though it will require 
# Duo auth on re-establish the connection.

Host jump.csail.mit.edu

  ControlMaster auto
  ControlPersist 1800

  ### This directory must be manually created! ###
  ControlPath ~/.ssh/cm_socket/%C


# CSAIL hosts except jumphosts get GSSAPIDelegateCredentials for AFS
Host *.csail.mit.edu   !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump jump.csail.mit.edu
  GSSAPIDelegateCredentials yes
  ForwardAgent yes

# if you ssh to ATHENA systems
# uncomment the lines below
# and edit to include your ATHENA Username
#Host !*.csail.mit.edu *.mit.edu
#  User <ATHENA UserName>
#  GSSAPIAuthentication yes
#  GSSAPIDelegateCredentials yes

The above will allow you to connect to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). or their short names (login). If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure XQuartz is installed on your Mac and then uncomment ForwardX11 yes.

Once you save the file, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $YOU config