Users will connect via SSH and enter their username/passwords as usual. One additional authentication step through Duo is then needed before the login is completed. This second authentication can be in several different forms (cell phone, YubiKey hardware token), and is user-selectable at each login. A brief description of each is provided below. See the Duo Authentication Methods page for more details.
Most HCC account holders use the Duo Mobile application on their smartphone or purchase a YubiKey USB device.
Faculty/staff members with a verified NU telephone number can enroll by phone. If you would like an HCC staff member to call your NU telephone number to enroll, please email email@example.com with a time you will be available.
YubiKey devices are currently a one-time cost of around $25 from HCC, or can be purchased from Yubico and added in-person at either HCC location. Purchasing a YubiKey from HCC must be done via a University cost object transfer (HCC cannot accept cash or credit cards). Please bring the cost object number with you if possible. YubiKeys are also available from the Husker Tech store in the UNL City Union. Note that YubiKeys are configured for HCC’s Duo, and not for general YubiCloud or U2F use.
This demonstrates an example login to Crane using the Duo Push method. Using another method (SMS, phone call, etc.) proceeds in the same way. (Click on any image for a larger version.)
First, a user connects via SSH using their normal HCC username/password, exactly as before.
After 10 failed authentication attempts, the user’s account is disabled. If this is the case, then the user needs to send an email to firstname.lastname@example.org including his/her username and the reason why multiple failed authentication attempts occurred.
After entering the password, instead of completing the login, the user will be presented with the Duo prompt. This gives the choice to use any authentication method that the particular account is setup to use. In this example, the choices are Duo Push notification, SMS message, or phone call. Choosing option 1 for Duo Push, a request to verify the login will be sent to the user’s smartphone.
Approve to verify the login.
If you receive a verification request you didn’t initiate, deny the request and contact HCC immediately via email at email@example.com
In the terminal, the login will now complete and the user will logged in as usual.
For smartphone or tablet users (iPhone, Android, Blackberry, Windows Phone), the Duo Mobile app is available for free. A push notification will be sent to the device, and users can simply confirm the login with one tap.
The Duo Mobile app can also be used to generate numeric passcodes, even when internet and cell service is unavailable. Press the key icon to generate a passcode. The passcode is then entered manually at the login prompt to complete authentication.
For non-smartphone users, Duo can send passcodes via normal text messages which are entered manually to complete login. Please note since this is an SMS message it may not be free, depending on the details of the particular cell phone plan.
For users with cell phones who prefer not to use any of the above methods and for those with landline phones, Duo will call the phone and provide a passcode via automatic voice message. The passcode is then entered manually to complete the login.
YubiKeys are USB hardware tokens that generate passcodes when pressed. They appear as a USB keyboard to the computer they are connected to, and so require no driver software with almost all modern operating systems. YubiKeys are available from the Husker Tech store at UNL. Users may also purchase them directly from Yubico if desired; this does require stopping by either HCC location in person to have the YubiKey added to the user’s account. For your convenience, HCC often carries some YubiKeys as well; these may only be purchased via a Cost Object transfer.