Reduced OTP password entries

Because one-time passwords (like those generated by the Research Computing Vasco tokens) are, by design, only valid once, they cannot be cached for automatic entry by an ssh client. The Research Computing environment does not permit SSH keys for remote access, either; so users often find themselves having to frequently type in an OTP password.

OpenSSH (a common SSH client present on most Linux and Unix systems, including Mac OS X) provides a feature that allows multiple SSH sessions to share a single connection. The practical result is that a user need log in only once, with all other connections being directed over the existing, pre-authenticated connection.

This configuration takes place on your local client / workstation, not on a Research Computing login node or other system. Run these commands on your local system.

$ mkdir -p ~/.ssh
$ echo >>~/.ssh/config 'Host *login*.rc.colorado.edu
ControlMaster auto
ControlPath /tmp/ssh_mux_%u_%h_%p_%r'

With this stanza in place at the bottom of your ~/.ssh/config file, you can ssh to login.rc.colorado.edu (or any specific Research Computing login node) and every subsequent connection will share the first connection. You will not be required to re-authenticate unless all open connections are closed.

There are many more customization opportunities available in the ~/.ssh/config file (notably the remote username and keepalive settings). For more information, see the ssh_config(5) manpage.

$ man 5 ssh_config