On Thursday, April 2nd, 2020, at around 10 pm, the Courant remote access gateway, access.cims.nyu.edu, will be rebooted, after which users will be required to use NYU's Multifactor Authentication (MFA) implementation to login to these servers and gain remote access to systems on the Courant network. Please be sure that you have tested your access to NYU Home in advance to confirm that you have MFA set up with current device information and ensure that remote access to Courant systems is not disrupted. Please see the NYU MFA instructions for more information on its set-up and use.
Following the transition, upon connecting to the server with your CIMS username and after entering your correct CIMS password, you will see the prompt that should be familiar from logging in to NYU Home, and you will need to choose between getting a push to a mobile device, a phone call or passcodes, just as you do when logging in to NYU Home (though for most, a default is set, so users have become accustomed to this part of the process being non-interactive).
For example, the fictitious Courant user, zyx, with NYU NetID zyx987, connecting from a Unix-based remote system, such as a MacBook, would see this:
-bash-4.2$ ssh email@example.com
Duo two-factor login for zyx987
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-6789
2. Phone call to XXX-XXX-6789
3. Phone call to XXX-XXX-4321
4. SMS passcodes to XXX-XXX-6789 (next code starts with: 2)
Passcode or option (1-4): 1
Success. Logging you in...
The message "Duo two-factor login for zyx987" above appears after the account's correct password is entered. In the above case, the first option is chosen and the login is successful after the push is accepted on the user's phone.
We have tested MFA access from command line shells in Linux and macOS terminals and from PuTTY and WinSCP in Windows. If you have any questions about other client interfaces, please contact firstname.lastname@example.org. Also contact us if you ever get a push, a call, or SMS from Duo as described above that you did not initiate!
For those who use public key authentication, this method will continue to work as it does now after MFA is implemented. However, it will be disabled after the systems are rebooted and can be reenabled by the user after an initial MFA login. In addition, we will now require the use of a specific public key file called "authorized_keys_access" for public-key authentication to access.cims.nyu.edu. For security reasons we ask that you please use a passphrase for your public/private key pair for remote connections to access.cims.nyu.edu. You should continue to use the standard "authorized_keys" file for public-key authentication between Courant systems (that is, you might have two authorized_keys files in your .ssh directory: one for remote access, the other for internal use). Please see the instructions on how to set up public-key authentication for the access servers.
No other remotely accessed Courant services, such as mail or web servers, will be affected by this change. We appreciate your patience and understanding as we make this critical network securty upgrade.