Access and Login to the Linux-Cluster

This document provides information on how to get first-time access to the Linux Cluster, how to login to the cluster and addresses topics concerning the login procedure (ssh, password, two-factor authentication).

How to get an Account

Please see article Compact Guide to first-time Linux Cluster Access Process.

How to apply for a Linux Cluster project

Security and Login

Only the login nodes can be accessed interactively from the outside world, typically via Secure Shell. Security features are implemented to prevent appropriation of sensitive information by a third party. Thus, please read the following sections very carefully!

Configuration of Two-Factor Authentication (2FA) and Secure Shell (SSH)

We recommend to do configuration steps in the following order:

  1. 2FA: 2FA is mandatory for access to the Linux Cluster! In order to use 2FA on the Linux Cluster, you need to configure it in advance!
  2. SSH: Learn more about details on the ssh configuration for usage with the LRZ HPC systems in the document ssh - Secure Shell on LRZ HPC Systems. This also includes the setup of public-key authentication and associated mandatory policies.

2FA configuration comprises two steps: Registration of the token(s) at LRZ SIM-MFA portal and configuration on your local device. A "token" can be a piece of hardware or software that serves as a second factor in authentication.

Recommended 2FA Procedure

Software tokens on mobile devices are most popular. Please consider: The smartphone may be broken, you may loose it or the 2FA app may no longer work and has to be reinstalled. Then, you have locked yourself out of LRZ services! That is, you are no longer able to login to the Linux Cluster or to the LRZ SIM-MFA web portal to manage your tokens.

We strongly recommend to create multiple tokens! For example, create a software token on your mobile device and an additional recovery token as fallback solution. Please read here for details!

Supported 2FA Methods on the Linux Cluster

Numerous authentication methods are available. You may choose any token available in the SIM-MFA portal. However, please consider that we only offer support concerning configuration and usage for the following list of tokens!

Recommended
Tokens
for
Login
Procedures

TOTP token: An authenticator app on your mobile device continuously generates new Time-based One Time Passwords, which can be used as a second factor at ssh login to the Linux Cluster.

Hardware token YubiKey: This is an individually configured USB-Key for each user. When asked by the ssh login, touching this hardware token will provide the second factor. The login procedure completes.
This method requires the purchase of the hardware token YubiKey as well as some more advanced configuration steps.

LRZ does not provide YubiKeys! We recommend to use that method if you cannot meet the requirements of TOTP or PUSH method, such as missing mobile device.

Recommended
Recovery Token

TAN list: The SIM-MFA portal will generate a list of 100 TANs which you need to download. We recommend to print it on a sheet of paper. You may use this list as recovery token. Each TAN can only be used once!

Additional
Token
(limited support) 

PUSH token: Your ssh login to the Linux Cluster triggers a notification sent to your mobile device. By accepting the notification the second factor will be sent back to the LRZ server and the login procedure completes automatically.

Due to dependency on third-party software (notification service), we provide limited support for this token!

Register 2FA Tokens

  1. Login in the SIM-MFA web portal in order to create and configure 2FA tokens!

    Please login to the SIM-MFA portal with exactly the same user ID (account) that you will need to access the Linux Cluster, i. e. the user ID with Linux Cluster permission!
    Do you have multiple user IDs? Then, you must configure 2FA for each user ID seperately!

  2. According to our policy, the use of a second device (e. g. your mobile device, a Yubikey or a TAN list) for provision of the second factor is mandatory! Select one of the following methods to proceed with the configuration of the 2FA token of your choice in SIM-MFA portal as well as on your local device.

    Please carefully read the instructions and recommendations!

    2FA with TOTP

     

    2FA with YubiKey

     

    2FA with TAN List

    2FA with PUSH

Login to the Linux Cluster

General Commands

From the UNIX command line on the own workstation the login to an LRZ account xxyyyzz is performed via the ssh command. Use the method you have configured in the previous step. For password authentication use

ssh -Y xxyyyzz@cool.hpc.lrz.de

For public-key authentication, the default ssh port is not used. A different command needs to be used:

ssh -Y -p 2222 xxyyyzz@cool.hpc.lrz.de

Please note, that cool.hpc.lrz.de is a Round Robin address. You will be forwarded to one of the Linux Cluster login nodes!

Remarks on ssh access:

  • The -Y option of ssh is responsible for tunneling of the X11 protocol, it may be omitted if no X11 clients are required, or if you already have otherwise configured X11 tunnelling in your ssh client.

  • After successful login you will find yourself in the HOME directory on the Linux Cluster. This is a DSS volume, which is uniformly mounted on all cluster nodes.

Password and 2FA

Proceeding with password and 2FA is straightforward. The terminal will ask sequentially for both credentials:

$ ssh xxyyyzz@cool.hpc.lrz.de
Password:
2FA:

Please note when asked for 2FA (this also applies to public-key authentication):

  • TOTP: Read the One-Time Password (OTP) from your authenticator app and enter it in the terminal. Do not use an OTP which is no longer valid!
  • PUSH: Press <ENTER> in the terminal in order to receive the push notification. Do not enter something else, e. g. the word "PUSH"! Accept the push message in the app.
  • YubiKey: Touch the button.

Token Recovery Procedure

Once you have generated a token in the SIM-MFA web portal, 2FA will be mandatory to access the SIM-MFA portal. Single-factor authentication is then no longer possible!

Typical use case: You are generally using TOTP or PUSH but have lost this software token, e. g. by removing the authenticator app on your mobile device or losing the mobile device. Now, you can neither log in to the SIM-MFA web portal nor to the Linux Cluster!
You have locked yourself out!

Recommended Solution

We recommend to create a second token for recovery. You may use this token to login to the SIM-MFA portal in order to delete invalid tokens or create new ones. We recommend to use the TAN list printed on a sheet of paper as recovery token. Simply use a TAN from the list to log in.

If you do not have a recovery option, but you have locked yourself out of the portal, then you need to contact the service desk.

Usage Policy on Login Nodes

Please take note of our Linux Cluster Policies!

Changing of Password and Shell

Please always use the LRZ IDM web portal to change your login password or your login shell for the cluster systems. Cluster-local commands cannot be used for this purpose.

Please note the LRZ policy for the selection and use of passwords:

Changing the password is necessary after it has been newly issued, or reset to a starting value by a master user or LRZ staff. This assures that actual authentication is done with a password known only to the account owner.

Support via Service Desk

Questions concerning the usage of the Linux Cluster should always be directed to the LRZ Servicedesk. A member of the LRZ HPC support team will then attend to your needs. For 2FA issues, you may also check the 2FA Glossary/FAQ.

In case of contacting us, please choose the proper Servicedesk:

Miscellaneous Topics

Documentation for Application Software and Packages

Please start from the HPC Software and Programming Support entries on the LRZ web server.

LRZ-specific configuration and policies on the clusters

Moving data from/to the cluster

The preferred method to move data to/from LRZ's Linux Cluster is using the Globus Research Data Management Portal. Details on the usage of Globus can be found here. Alternatively, you can also use scp (Secure Copy) or grid-ftp. FTP access to the cluster from outside (and also within the clusters) is disabled for security reasons. 

User accounts are personalized

User accounts are always assigned to a particular person. For a number of reasons, sharing of user accounts between different persons is not permitted; if noticed, it will lead to the account being deactivated by LRZ. All involved parties (including the Master User of the account's project) will be notified with information on the measures needed to rectify the situation.

Firewall, networking

The cluster is protected from certain types of external attacks by a firewall, the configuration of which may impact the functionality of certain applications as described in the following.

X11 Protocol

Direct X11 connections (via xhost or xauth) are prohibited, only ssh tunneling is supported.

Routing

None of the batch nodes in the cluster are by default routed to the outside world.

Electronic mail

We recommend against using the Linux Cluster for mail purposes (apart from having the batch scheduler send mails to you, occasionally).

Environment

Environment settings are controlled via the LRZ module system. Such settings are needed to access specific application program packages, or to properly establish a development enviornment.

Using the cron or at commands

This is not allowed on the LRZ cluster. Please submit SLURM batch jobs for performing computations.

General Linux System Documentation

Typical for Linux systems there are (at least) two formats for the system documentation:

  • man pages

  • info pages