Whenever I want to do something that involves making an ssh connection to ComptueCanada servers, such as doing an rsync copy, I have to manually authenticate each connection using their proprietary 2FA method. It adds an unnecessary step to my workflow when using their servers. It’s even worse for tools like Emacs’s TRAMP-mode that assume a sane ssh connection. In the case of TRAMP, it flat out errors out when it sees the 2FA prompt.
I would’ve preferred using more common 2FA methods like Timed-One-Time-Password (TOTP), which are well-known among users and are far more accessible. With TOTP, you could use apps like Google Authenticator to get two factor authentication.

Fortunately, there is a way to fix this. You can create a single shared ssh connection, and then, multiplex all other subsequent ssh connections through it. Upside is you only have to do the authentication once, downside is you’ll have to kill the ssh connection manually if the ssh connection hangs or if you change networks. Although, you normally wouldn’t need to kill the multiplexer process by hand. You can either set a timeout after which the process closes, or tell it to run indefinitely.

Configuring Your SSH Config

Here’s how to do it assuming you have your ssh config file as ~/.ssh/config, and in it, there’s a Host definition for some ssh endpoint which resembles something like this:

Host beluga-cc
  Hostname beluga.alliancecan.ca
  User X
  IdentityFile ~/.ssh/path_to_key
  IdentitiesOnly yes

You’d want to add

  ControlMaster auto
  ControlPersist 6h
  ControlPath ~/.ssh/config/%l-%h-%p-%r-%j

to it. The third line states that the ssh client will create a file corresponding to the established connection in ~/.ssh/control/1. Change the value of ControlPersist to 0 or yes to run the session indefinitely. I’ve set mine to 6 hours. You can also change the name files under ~/.ssh/control/. If you want to, have look at $ man ssh_config. Near the very end, under section TOKENS, you can see what each % option expands to.

Stopping the Connection

In order to kill the connection,

  1. Find the PID of the muxing process:
$ ps aux | grep ssh | grep mux
1337
  1. Kill the connection is by sending kill signal to it, like this:
$ kill -9 1337 # put PID number here instead of `1337`

Here’s a one-liner that takes care of everything, assuming you have fzf installed:

$ kill -s KILL $(ps aux | grep ssh | grep mux | fzf | awk '{print $2}')

Update:

I had the pleasure of using JUWELES Booster, in NVIDIA’s HotI 2025 tutorial. Sifting through their documentation, the folks at Julich also recommend this method. They also use TOTP which infinitely nicer compared to CISCO’s proprietary solution.

  1. Make sure it exists by running mkdir -p ~/.ssh/control/. (Thanks for pointing this out Amirhossein)! ↩︎