SSH Access from Off Campus

Recently a large number of University CLAS Linux computers have been targeted by "spray attacks" in an attempt to compromise systems and exploit user accounts through SSH running on port 40. Password spraying is an attack that will, usually, feed a large number of usernames into a program that loops through those usernames and tries a number of passwords.  It is possible a user account could be compromised, but mostly this has resulted in user HawkID accounts being locked out.  If the attacker did guess the password they would presumably be able to access anything the user could that isn't protected by the DUO 2 factor authentication system.

We have experimented in the past with various methods to block malicious password guessing but the sophistication of the attacks have increased.  We have determined our best option is to block password based access to SSH from off campus.  Starting on November 21, 2019 users will need to use SSH keys ( or Kerberos tickets to access,, and from off campus.  You may also connect with normal password authentication when using the Cisco AnyConnect VPN service provided by ITS ( 

We will be contacting individual users with workstations and servers that allow off campus SSH to discuss the impact of these changes.

Note, this does not affect the FastX web based service, it only affects SSH access from off campus to Port 40.