Setting up SSH on Windows

Using SSH on Windows

For secure, password-less SSH login to CSAIL systems, please first setup Kerberos for Windows

DUO MultiFactor Authentication Required

Beginning August 4th 2025 ssh access to CSAIL systems will require DUO MultiFactor Authentication (MFA)

This uses the same app as MIT DUO so most people will already have that installed and set up. If you do not now is a good time to review their Knowledge Base article.

While we are using the same application (and under their license) CSAIL has a separate DUO instance with separate configuration.

Signing up for CSAIL DUO

Sign in to https://duo.csail.mit.edu/ and configure your preferences.

Minimizing Second Factor Prompts

The recommended CSAIL jump host configuration uses SSH Multiplexing such that you will only be prompted for DUO authentication when you first connect. So long as you maintain an open ssh session through the jump host DUO will not be required for subsequent connections through the jump hosts, even if they are to different endpoint hosts. After 30min with no open connections the multiplexing socket will time out and on the next connection you’ll again get a DUO prompt.

Dealing with “problem” clients and workflows

IDEs (VScode, Cursor, PuTTY, etc) and other interactive tools that use SSH

Many integrated development environments (IDE’s) and other tools that use SSH behind the scenes provide poor or no UI to deal with entering a second factor. If you follow the Minimizing Second Factor Prompts instructions above and manually ssh to any CSAIL host before using the problematic tool it won’t need a second factor to connect and everything should function noramally.

Automated non-interactive processes

TIG can create configuration exceptions for internal cluster communications and exceptions for limited scope system accounts using SSHKey authentication. This is not self-service and requires a security review and custom configuration.

Please contact help@csail.mit.edu to arrange for custom configuration and testing as soon as possible to ensure a smooth transition

Testing Changes Now

Please do test this as soon as possible and email help@csail.mit.edu if you encounter any problems.

1. ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu

• If you are prompted for Duo two-factor login for [user] you are already enrolled in DUO. Continue to step 2.
• If you get the message Please enroll at... follow the link to enroll

2. Try configuring mfa-jump as your jump host

• Create or edit a ~/.ssh/config for your client as desribed under Use the CSAIL jump host for SSH access replacing jump.csail.mit.edu in the configuration for your Operating System with mfa-jump.csail.mit.edu, Note these examples are recently changed. The new configs will work with both the new MFA systems and the current single factor systems, but the old configs will not provide a good experience with MFA. Please review the examples even if you are currently using the TIG provide jump host for access.
• connect again to ssh $CSAIL_USERNAME@mfa-login.csail.mit.edu. On 1st connection you should expect a DUO prompt.
• Logout of mfa-login and reconnect. On 2nd and subsequent connections you should not be prompted for DUO. As configured in the example configs this will time out if you have no open ssh sessions for 30min.

3. Attempt to go about your regular work with this config in place.
4. If your group has systems you would specifically like to test with we can enable MFA ahead of schedule on select systems, just send a request to help@csail.mit.edu

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network it is strongly recommended that you Use the CSAIL jump host for SSH access as this by passes the firewall restriction and Minimizes DUO Prompts

It is also possible to bypass the firewall restriction using:

1. Campus VPN
2. Allowlist an SSH server

If the system you are connecting to inside the CSAIL is not running CSAIL Linux these methods are fine, however if you are connecting to a CSAIL Linux using one of these methods rather than the jump-host method will require DUO interaction on every ssh connection which is not a good experience.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

{{% panel theme="info” header="NOTE:” %}}CSAIL Linux systems will not require additional configuration when this change is live, for testing you will need a custon ssh config{{% /panel %}}

• CSAIL Linux
• MacOS
• Windows
• Linux

Using SSH to CSAIL via VPN

Using the jump host on Windows is more complicated then on Linux, or MacOS. Therefore, if you need to SSH to a CSAIL system from outside the CSAIL network, we suggest using the VPN. If you’d rather not use the VPN, skip to Using SSH to CSAIL via Jump Host for Windows 10

Both PuTTY and SecureCRT can be used for connecting to CSAIL Linux hosts without passwords. Kerberos tickets allow passwordless logins, and assuming ticket delegation is turned on, also allow access to AFS files once logged in. PuTTY is recommended as a leaner, freer, and more reliable alternative, while SecureCRT has convenient integrated graphical file transfer.

For PuTTY, v.0.61 or later, create a Saved Session with CSAIL-specific settings. In PuTTY Configuration:

1. Connection -> SSH -> Auth -> GSSAPI, set “Allow GSSAPI credential delegation” to YES
2. in Connection -> Data, set “Auto-login username” to your CSAIL username
3. in Session, leave Host Name blank and use csail as the session name under “Saved Settings”
4. Click “Save”

To connect manually, click csail and Load, then enter a Host Name like login.csail.mit.edu and click Open.

For SecureCRT:

• In either “Quick Connect” or Connection Properties -> SSH2, move GSSAPI to be the top item in the “Authentication” list.
• If Kerberos allows you to connect but you can’t see/edit AFS files and the output of klist starts with “No credentials cache found”, make sure that in the “Authentication” list, GSSAPI -> Properties -> Delegation is set to “Full”

WARNING: There is a poorly understood issue preventing delegation from completing successfully using SecureCRT on some Windows installations. Please run klist after connecting to confirm that tickets made it to the remote system; if not, try PuTTY or email help@csail.

Using SSH to CSAIL via Jump Host for Windows 10 on SecureCRT

Using SSH to CSAIL via Jump Host in Windows will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication. Connecting to the VPN is not necessary, but requires a more complicated configuration. We have not gotten this to work reliably with PuTTY - only SecureCRT

1. Create a new session to the jump host
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter “csail jump” or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = jump.csail.mit.edu
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
2. Create a session to the final host
   • This is the connection you already have to the host you are SSHing to. If you have one, skip to the next session. If you need to create a new one:
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter the [hostname] or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = [hostname].csail.mit.edu
     • Firewall: Select Session -> select the jump host session from previous step
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
3. Now you can connect final host session and it will us the jump host

Using SSH to CSAIL via Jump Host for Windows 10 on PuTTY

In order to use PuTTY on Windows with a jump host, you will first need to have either public-key authentication (see below) or Kerberos/GSSAPI configured and working. Kerberos authentication is the best option if available on your machine. If you’re using public-key authentication, you will need to have your private key loaded in Pageant; if you’re using Kerberos, you will need to have valid, unexpired Kerberos tickets.

Save a working Kerberos or public-key configuration with destination host jump.csail.mit.edu under the name jump.csail.mit.edu in PuTTY’s saved sessions on the main PuTTY connection settings pane.

To set up PuTTY to use the proxy, in a fresh PuTTY connection, go to the “Proxy” pane, select a proxy type of “local”, enter jump.csail.mit.edu in the proxy name field, and in the “proxy command” field, enter

  plink.exe %user@%proxyhost -agent -nc %host:%port

and choose “Until connection start” in the selector below. Save this on the main connection settings pane under a memorable name like “CSAIL proxy”.