Setting up SSH on Windows

Using SSH on Windows

For secure, password-less SSH login to CSAIL systems, please first setup Kerberos for Windows

DUO MultiFactor Authentication Required

Beginning August 4th 2025 ssh access to CSAIL systems will require DUO MultiFactor Authentication (MFA)

This uses the same app as MIT DUO so most people will already have that set up. If you do not now is a good time to review their Knowledge Base article.

While we are using the same application (and under their license) CSAIL has a separate DUO instance with separate configuration.

Signing up for CSAIL DUO

Sign in to https://duo.csail.mit.edu/ and configure your preferences.

Minimizing Second Factor Prompts

The recommended CSAIL jump host configuration uses SSH Multiplexing such that you will only be prompted for DUO authentication when you first connect. So long as you maintain an open ssh session through the jump host DUO will not be required for subsequent connections through the jump hosts, even if they are to different endpoint hosts. After 30min with no open connections the multiplexing socket will time out and on the next connection you’ll again get a DUO prompt.

Testing Changes Now

Please do test this as soon as possible and email help@csail.mit.edu if you encounter any problems.

• Try it ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu
• Try configuring mfa-jump as your jump host
  1. see Use the CSAIL jump host for SSH access replacing jump.csail.mit.edu in the configuration for your Operating System with mfa-jump, note these examples are recently changed the new configs will work with both the new MFA systems and the current single factor systems but the old configs will not provide a good experience with MFA. Please review the examples even if you are currently using the TIG provide jump host for access.
  2. connect again to ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu. On 1st connection you should expect a DUO prompt.
  3. Logout of mfa-login and reconnect. On 2nd and subsequent connections you should not be prompted for DUO. As configured in the example configs this will time out if you have no open ssh sessions for 30min.
• Attempt to go about your regular work with this config in place.
• If your group has systems you would specifically like to test with we can enable MFA ahead of schedule on select systems, just send a request to help@csail.mit.edu

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network it is strongly recommended that you Use the CSAIL jump host for SSH access as this by passes the firewall restriction and Minimizes DUO Prompts

It is also possible to bypass the firewall restriction using:

1. Campus VPN
2. Allowlist an SSH server

If the system you are connecting to inside the CSAIL is not running CSAIL Linux these methods are fine, however if you are connecting to a CSAIL Linux using one of these methods rather than the jump-host method will require DUO interaction on every ssh connection which is not a good experience.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

{{% panel theme="info” header="NOTE:” %}}CSAIL Linux systems will not require additional configuration when this change is live, for testing you will need a custon ssh config{{% /panel %}}

• CSAIL Linux
• MacOS
• Windows
• Linux

Allowlist SSH server

If all else fails, or you have a server that:

1. needs to allow ssh from outside the CSAIL network,
2. is not on the guest (128.31.0.0/24) and
3. has non-CSAIL users or some application restriction making it difficult to use a jump host configuration as shown above),

please open a ticket by sending mail to help@csail with the names and IP addresses of the machines you’d like to register as ssh servers and an explanation of the reason you need to have a firewall exception made. Note that the servers in question must have a static IP address assigned. Additional documentation can be found elsewhere on this site for physical servers and OpenStack virtual machines.

Using SSH to CSAIL via VPN

Using the jump host on Windows is more complicated then on Linux, or MacOS. Therefore, if you need to SSH to a CSAIL system from outside the CSAIL network, we suggest using the VPN. If you’d rather not use the VPN, skip to Using SSH to CSAIL via Jump Host for Windows 10

Both PuTTY and SecureCRT can be used for connecting to CSAIL Linux hosts without passwords. Kerberos tickets allow passwordless logins, and assuming ticket delegation is turned on, also allow access to AFS files once logged in. PuTTY is recommended as a leaner, freer, and more reliable alternative, while SecureCRT has convenient integrated graphical file transfer.

For PuTTY, v.0.61 or later, create a Saved Session with CSAIL-specific settings. In PuTTY Configuration:

1. Connection -> SSH -> Auth -> GSSAPI, set “Allow GSSAPI credential delegation” to YES
2. in Connection -> Data, set “Auto-login username” to your CSAIL username
3. in Session, leave Host Name blank and use csail as the session name under “Saved Settings”
4. Click “Save”

To connect manually, click csail and Load, then enter a Host Name like login.csail.mit.edu and click Open.

For SecureCRT:

• In either “Quick Connect” or Connection Properties -> SSH2, move GSSAPI to be the top item in the “Authentication” list.
• If Kerberos allows you to connect but you can’t see/edit AFS files and the output of klist starts with “No credentials cache found”, make sure that in the “Authentication” list, GSSAPI -> Properties -> Delegation is set to “Full”

WARNING: There is a poorly understood issue preventing delegation from completing successfully using SecureCRT on some Windows installations. Please run klist after connecting to confirm that tickets made it to the remote system; if not, try PuTTY or email help@csail.

Using SSH to CSAIL via Jump Host for Windows 10 on SecureCRT

Using SSH to CSAIL via Jump Host in Windows will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication. Connecting to the VPN is not necessary, but requires a more complicated configuration. We have not gotten this to work reliably with PuTTY - only SecureCRT

1. Create a new session to the jump host
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter “csail jump” or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = jump.csail.mit.edu
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
2. Create a session to the final host
   • This is the connection you already have to the host you are SSHing to. If you have one, skip to the next session. If you need to create a new one:
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter the [hostname] or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = [hostname].csail.mit.edu
     • Firewall: Select Session -> select the jump host session from previous step
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
3. Now you can connect final host session and it will us the jump host

Using SSH to CSAIL via Jump Host for Windows 10 on PuTTY

In order to use PuTTY on Windows with a jump host, you will first need to have either public-key authentication (see below) or Kerberos/GSSAPI configured and working. Kerberos authentication is the best option if available on your machine. If you’re using public-key authentication, you will need to have your private key loaded in Pageant; if you’re using Kerberos, you will need to have valid, unexpired Kerberos tickets.

Save a working Kerberos or public-key configuration with destination host jump.csail.mit.edu under the name jump.csail.mit.edu in PuTTY’s saved sessions on the main PuTTY connection settings pane.

To set up PuTTY to use the proxy, in a fresh PuTTY connection, go to the “Proxy” pane, select a proxy type of “local”, enter jump.csail.mit.edu in the proxy name field, and in the “proxy command” field, enter

  plink.exe %user@%proxyhost -agent -nc %host:%port

and choose “Until connection start” in the selector below. Save this on the main connection settings pane under a memorable name like “CSAIL proxy”.