Duo Federal is now the Lab's two-factor authentication solution - Everyone who uses Duo must re-enroll at duo-fed-enroll.bnl.gov in order to retain their access. Those who have been using a YubiKey for two-factor authentication must to get a new one. Just arrange to pick it up at ITD customer support at no charge (1-631-344-5522, itdhelp@bnl.gov).
Secure Shell (SSH) is a network protocol that facilitates secure data exchange between networked devices. By establishing a secure channel between a local and a remote computer, SSH exchanges information securely by using data encryption and message authentication codes.
BNL policy dictates that you use an official SSH gateway to enter the lab network with SSH. To make moving around from computer to computer faster and easier, advanced users may want to put their SSH keys on the gateway (see 'Additional Info' sidebar). That allows you to have single sign-on capabilities.
NOTE: The SSH gateways are not designed for file storage. Transferring large data sets should be accomplished by tunneling.
The Laboratory has several SSH gateways. The addresses to reach the SSH gateways are:
If you are trying to reach the gateways from inside the Laboratory for any reason, the address is:
If you need assistance installing the appropriate SSH client contact the Help Desk.
To use the SSH Gateway as an entry/exit point you need to:
Testing Account:
Note: When you first connect to the gateway, you will receive a message similar to the one below. Respond by answering [yes].
localhost:~$ ssh your_user_name@ssh.bnl.gov The authenticity of host 'ssh.bnl.gov (130.199.3.131)' can't be established. RSA key fingerprint is 11:0e:ac:b5:33:17:92:66:b4:0e:1a:73:9a:a6:23:95. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ssh.bnl.gov' (RSA) to the list of known hosts.
When completed you will be prompted to enter you BNL domain password.
Password:
After your password is entered correctly, follow the prompts shown below to complete the login process.
Duo two-step verification login for your_user_name
Enter a passcode (Duo App or YubiKey) or select the following option:
Passcode or option (1-2): 1
After successful two-factor authentication, you will be able to ssh to another machine on the internal BNL network. Login as you normally would but expect to answer yes the first time like you did above.
your_user_name@sshvip1:~$ ssh user_name@somehost.bnl.gov The authenticity of host 'somehost.bnl.gov (xxx.xxx.xxx.xxx)' can't be established. RSA key fingerprint is ef:30:09:34:e5:5b:c2:e6:92:b9:a1:2e:02:cf:82:40. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'somehost.bnl.gov,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts. user_name@somehost.bnl.gov's password:: The RSA key fingerprint for "ssh.bnl.gov" is 11:0e:ac:b5:33:17:92:66:b4:0e:1a:73:9a:a6:23:95