This section covers the basic procedures for accessing computational resources at the Oak Ridge Leadership Computing Facility.
Connect with SSH
Secure shell (SSH) clients are the only supported remote clients for use with OLCF systems. SSH encrypts the entire session between OLCF systems and the client system, and avoids risks associated with using plain-text communication.
For UNIX-based SSH clients, the following line should be in either the default
ssh_config file or your
The line may also contain other authentication methods, but
keyboard-interactive must be included.
SSH clients are also available for Windows-based systems, such as SecureCRT published by Van Dyke Software. For recent SecureCRT versions, the preferred authentications setting shown above can be made through the “connection properties” menu.
$HOME/.ssh/configfile by adding the following:
Host *.ccs.ornl.gov ControlMaster no
OLCF System Hostnames
Each OLCF system has a single, designated hostname for general user-initiated connections. Using these hostnames allows for automatic load-balancing that will send users to other hosts as needed. The designated OLCF hostnames for general user connections are as follows:
|System Name||Hostname||RSA Key Fingerprints|
|Data Transfer Nodes||
For example, to connect to Titan from a UNIX-based system, use the following:
$ ssh email@example.com
RSA Key Fingerprints
Occasionally, you may receive an error message upon logging in to a system such as the following:
@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
This can be a result of normal system maintenance that results in a changed RSA public key, or could be an actual security incident. If the RSA fingerprint displayed by your SSH client does not match the OLCF-authorized RSA fingerprint for the machine you are accessing, do not continue authentication; instead, contact firstname.lastname@example.org.
Authenticating to OLCF Systems
All OLCF systems currently employ two-factor authentication only. To login to OLCF systems, an RSA SecurID® Token (fob) is required.
Activating a new SecurID® Token (fob)
Follow the steps described below to set up your new SecurID Token (fob).
- Initiate an SSH connection to home.ccs.ornl.gov using your OLCF username.
- When prompted for a PASSCODE, enter the 6 digits displayed on your token.
- When asked if you are ready to set your PIN, answer with "y".
- You will then be prompted to enter a PIN. Enter a 4- to 8-character alphanumeric PIN you can remember. You will then be prompted to re-enter your PIN.
- A message will appear stating that your PIN has been accepted. Press enter to continue.
- Finally, you will be prompted again with "Enter PASSCODE". This time enter both your PIN and the 6 digits displayed on your token before pressing enter.
- Your PIN is now set and you are logged into home.ccs.ornl.gov.
Using a SecurID® Token (fob)
When prompted for your PASSCODE, enter your PIN followed by the 6 digits shown on your SecurID® token before pressing enter. For example, if your pin is
1234 and the 6 digits on the token are
1234000987 when you are prompted for a PASSCODE.
PINs, Passcodes, and Tokencodes
When users connect with RSA SecurID tokens, they are most often prompted for a PASSCODE. Sometimes, they are instead prompted for a PIN (typically only on initial setup) and other times they might be prompted to wait for the tokencode to change and enter the new tokencode. What do these terms mean?
The TOKENCODE is the 6-digit number generated by the RSA token.
The PIN is a (4) to (8)-digit number selected by the user when they initially set up their RSA token.
The PASSCODE is simply the user’s PIN followed by the current tokencode.
These are relatively straightforward; however, there can be some confusion on initial setup. The first time a user connects with a new token (or, if for some reason the user requested that we clear the PIN associated with their token) they are prompted for a PASSCODE but in reality only enter a tokencode. This is because during this initial setup procedure a PIN does not exist. Since there is no PIN, the PASSCODE is the same as the tokencode in this rare case.
Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local X server. To set up automatic X11 forwarding within SSH, you can do (1) of the following:
- Invoke ssh on the command line with:
$ ssh -X hostname
Note that use of the
-xoption (lowercase) will disable X11 forwarding.
- Edit (or create) your
$HOME/.ssh/configfile to include the following line:
All X11 data will go through an encrypted channel. The
$DISPLAY environment variable set by SSH will point to the remote machine with a port number greater than zero. This is normal, and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over an encrypted channel. The connection to the real X server will be made from the local machine.
$DISPLAYenvironment variable for X11 forwarding; a non-encrypted channel may be used in this case.
Connecting to Internal OLCF Systems
Some OLCF systems are not directly accessible from outside the OLCF network. In order to access these systems, you must first log into Home.