This section covers the basic procedures for accessing computational resources at the Oak Ridge Leadership Computing Facility.

Connect with SSH

Secure shell (SSH) clients are the only supported remote clients for use with OLCF systems. SSH encrypts the entire session between OLCF systems and the client system, and avoids risks associated with using plain-text communication.

Note: To access OLCF systems, your SSH client must support SSH protocol version 2 (this is common) and allow keyboard-interactive authentication.

For UNIX-based SSH clients, the following line should be in either the default ssh_config file or your $HOME/.ssh/config file:

PreferredAuthentications keyboard-interactive,password

The line may also contain other authentication methods, but keyboard-interactive must be included.

SSH clients are also available for Windows-based systems, such as SecureCRT published by Van Dyke Software. For recent SecureCRT versions, the preferred authentications setting shown above can be made through the “connection properties” menu.

Note: SSH multiplexing is disabled on all of the OLCF’s user-facing systems. Users will receive an error message if they attempt to connect to an OLCF resource that tries to reuse an SSH control path. To ensure SSH connections will not attempt multiplexing, you will need to modify your $HOME/.ssh/config file by adding the following:

  Host *
    ControlMaster no

OLCF System Hostnames

Each OLCF system has a single, designated hostname for general user-initiated connections. Using these hostnames allows for automatic load-balancing that will send users to other hosts as needed. The designated OLCF hostnames for general user connections are as follows:

System Name Hostname RSA Key Fingerprint
Home (machine) MD5ba:12:46:8d:23:e7:4d:37:92:39:94:82:91:ea:3d:e9
Data Transfer Nodes MD5d1:c5:84:5b:88:d3:0e:81:33:a7:c2:5f:8a:09:b2:7f
Summit MD508:d0:fe:3f:f3:41:96:9c:ae:73:73:a8:92:6c:79:34
Eos MD5e3:ae:eb:12:0d:b1:4c:0b:6e:53:40:5c:e7:8a:0d:19
Titan MD577:dd:c9:2c:65:2f:c3:89:d6:24:a6:57:26:b5:9b:b7
Rhea MD517:4a:49:f8:37:e2:1b:7c:b5:23:b3:5c:64:3a:c5:07
System Name Hostname ECDSA Key Fingerprint
Home (machine) MD58a:92:0f:31:4d:38:2d:2c:ec:7d:53:ce:8b:46:73:d6
Data Transfer Nodes MD5bd:52:af:c3:8b:ad:a3:30:4f:28:75:9c:79:84:68:cd
Summit MD5cf:32:f9:35:fd:3f:2a:0f:ed:d3:84:b1:2d:f0:35:1b
Eos MD5d7:bb:7d:a1:73:f7:92:42:43:e6:75:d6:31:29:87:8a
Titan MD554:2a:81:ed:75:14:d6:ec:fc:85:b8:4f:fb:b1:11:fa
Rhea MD5e4:a4:b4:4a:24:bf:53:e0:9a:c4:10:9f:9f:3a:ec:f4

For example, to connect to Titan from a UNIX-based system, use the following:

$ ssh

RSA Key Fingerprints

Occasionally, you may receive an error message upon logging in to a system such as the following:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

This can be a result of normal system maintenance that results in a changed RSA public key, or could be an actual security incident. If the RSA fingerprint displayed by your SSH client does not match the OLCF-authorized RSA fingerprint for the machine you are accessing, do not continue authentication; instead, contact

Authenticating to OLCF Systems

All OLCF systems currently employ two-factor authentication only. To login to OLCF systems, an RSA SecurID® Token (fob) is required.
Image of an RSA SecudID fob

Activating a new SecurID® Token (fob)

Follow the steps described below to set up your new SecurID Token (fob).

  1. Initiate an SSH connection to using your OLCF username.
    (i.e., ssh
  2. When prompted for a PASSCODE, enter the 6 digits displayed on your token.
  3. When asked if you are ready to set your PIN, answer with “y”.
  4. You will then be prompted to enter a PIN. Enter a 4- to 8-character alphanumeric PIN you can remember. You will then be prompted to re-enter your PIN.
  5. A message will appear stating that your PIN has been accepted. Press enter to continue.
  6. Finally, you will be prompted again with “Enter PASSCODE”. This time enter both your PIN and the 6 digits displayed on your token before pressing enter.
  7. Your PIN is now set and you are logged into

Using a SecurID® Token (fob)

When prompted for your PASSCODE, enter your PIN followed by the 6 digits shown on your SecurID® token before pressing enter. For example, if your pin is 1234 and the 6 digits on the token are 000987, enter 1234000987 when you are prompted for a PASSCODE.

Warning: The 6-digit code displayed on the SecurID token can only be used once. If prompted for multiple PASSCODE entries, always allow the 6-digit code to change between entries. Re-using the 6-digit code can cause your account to be automatically disabled.

PINs, Passcodes, and Tokencodes

When users connect with RSA SecurID tokens, they are most often prompted for a PASSCODE. Sometimes, they are instead prompted for a PIN (typically only on initial setup) and other times they might be prompted to wait for the tokencode to change and enter the new tokencode. What do these terms mean?

The TOKENCODE is the 6-digit number generated by the RSA token.

The PIN is a (4) to (8)-digit number selected by the user when they initially set up their RSA token.

The PASSCODE is simply the user’s PIN followed by the current tokencode.

These are relatively straightforward; however, there can be some confusion on initial setup. The first time a user connects with a new token (or, if for some reason the user requested that we clear the PIN associated with their token) they are prompted for a PASSCODE but in reality only enter a tokencode. This is because during this initial setup procedure a PIN does not exist. Since there is no PIN, the PASSCODE is the same as the tokencode in this rare case.

X11 Forwarding

Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local X server. To set up automatic X11 forwarding within SSH, you can do (1) of the following:

  • Invoke ssh on the command line with:
    $ ssh -X hostname

    Note that use of the -x option (lowercase) will disable X11 forwarding.

  • Edit (or create) your $HOME/.ssh/config file to include the following line:
    ForwardX11 yes

All X11 data will go through an encrypted channel. The $DISPLAY environment variable set by SSH will point to the remote machine with a port number greater than zero. This is normal, and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over an encrypted channel. The connection to the real X server will be made from the local machine.

Warning: Users should not manually set the $DISPLAY environment variable for X11 forwarding; a non-encrypted channel may be used in this case.

Connecting to Internal OLCF Systems

Some OLCF systems are not directly accessible from outside the OLCF network. In order to access these systems, you must first log into Home.


Once logged into Home, you can ssh into the desired (internal) system. Please see the Home section on the Getting Started page for more information (e.g. appropriate uses).