The OpenSSH that is included with all modern macOS versions works with 2FA without any extra configuration. This also applies to "scp", "sftp" and "rsync".

If you want to enable connection sharing (to avoid having to enter your password and TOTP code for each new terminal window or file transfer):

• Edit the file .ssh/config in your home directory. This file will typically not exist unless you already have a custom SSH configuration.

• Add a rule for the NSC cluster, with ControlMaster, ControlPersist and ControlPath set.

Example .ssh/config file:

Host duolith.nsc.liu.se
ControlMaster autoask
ControlPersist 2h
ControlPath ~/.ssh/cm-%r@%h:%p

Setting ControlMaster to "autoask" will make SSH open a window asking "Allow shared connection to ...?" every time a new connection wants to use the existing login. This makes connection sharing a little more secure, as it becomes more difficult for someone that can access your account on your own computer to start a new SSH connection through the existing login. If you do not want this extra layer of security, replace "autoask" with "auto".

Note: macOS does not come with the ssh-askpass command installed. This is needed to use autoask (ssh-askpass is used for the popup window asking you if a new connection should be accepted). You can either install ssh-askpass or accept the small security penalty of using auto instead (you will not get a warning if someone who has control over your computer starts new SSH connections using your existing one).

Screenshots: