Connecting

Connecting for the first time

All connections to OLCF resources are done via Secure Shell (ssh). SSH encrypts the entire session between the user connecting and the OLCF systems and avoids risks associated with using plain-text communication.

Note

To access OLCF systems, your SSH client must support SSH protocol version 2 (this is common) and allow keyboard-interactive authentication.

For UNIX-based SSH clients, the following line should be in either the default ssh_config file or your $HOME/.ssh/config file:

PreferredAuthentications keyboard-interactive,password

The line may also contain other authentication methods but keyboard-interactive must be included.

SSH clients are available for Windows-based systems, such as SecureCRT published by VanDyke software. For recent SecureCRT versions, the preferred authentication setting shown above can be made through the “connection properties” menu.

Note

SSH multiplexing is disabled on all of the OLCF’s user-facing systems. Users will receive an error message if they attempt to connect to an OLCF resource that tries to reuse an SSH control path. To ensure SSH connections will not attempt multiplexing, you will need to modify your $HOME/.ssh/config file by adding the following:

Host *.ccs.ornl.gov
  ControlMaster no

With an active user account, you’ll be able to log into any of the systems allocated to your project(s). All OLCF resources (except the Ascent training system) require two-factor authentication. This means you will need an OLCF-provided RSA SecurID fob to log into any of the systems.

Activating a new SecurID fob

../_images/rsa_securid_fob.gif
  1. Initiate a SSH connection to username@home.ccs.ornl.gov.
  2. When prompted for a PASSCODE, enter the 6-digit code shown on the fob.
  3. You will be asked if you are ready to set your PIN. Answer with “Y”.
  4. You will be prompted to enter a PIN. Enter a (4) to (6) digit number you can remember. You will then be prompted to re-enter your PIN.
  5. Allow the 6-digit code to change (codes regenerate every 30 seconds). Once the (6) digits on your fob change, enter your PIN followed by the new (6) digits displayed on the fob.
  6. Your PIN is now set, and your fob is activated for login to other OLCF systems.

Once activated, the RSA SecurID fob can be used to access OLCF systems. When initiating a SSH connection to a system, you will be prompted to enter your PASSCODE. Simply enter your PIN followed by the (6) digit code shown on your SecurID fob and press enter. For example, if your pin is 1234 and the (6) digits on the fob are 000987, you would enter 1234000987 when prompted for a PASSCODE.

Note

The 6-digit code displayed on the SecurID fob can only be used once. If prompted for multiple PASSCODE entries, always allow the code to change between attempts. Re-using a code can cause your account to be automatically locked.

If you are an ORNL employee and are using an ORNL-distributed (not OLCF-distributed) SecurID fob, there is no need to follow the activation steps listed above. You may log into OLCF systems using your existing ORNL PIN + 6-digit tokencode.

PINs, Passcodes, and Tokencodes

When users connect with RSA SecurID tokens, they are most often prompted for a PASSCODE. Sometimes, they are instead prompted for a PIN (typically only on initial setup) and other times they might be prompted to wait for the tokencode to change and enter the new tokencode. What do these terms mean?

The TOKENCODE is the 6-digit number generated by the RSA token.

The PIN is a (4) to (8)-digit number selected by the user when they initially set up their RSA token.

The PASSCODE is simply the user’s PIN followed by the current tokencode.

These are relatively straightforward; however, there can be some confusion on initial setup. The first time a user connects with a new token (or, if for some reason the user requested that we clear the PIN associated with their token) they are prompted for a PASSCODE but in reality only enter a tokencode. This is because during this initial setup procedure a PIN does not exist. Since there is no PIN, the PASSCODE is the same as the tokencode in this rare case.

X11 Forwarding

Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local (e.g. on your desktop) X server. To set up automatic X11 forwarding within SSH, you can do one of the following:

1) Invoke ssh on the command line with:

$ ssh -X hostname

Note that use of the -x option (lowercase) will disable X11 forwarding.

2) Edit (or create) your $HOME/.ssh/config file to include the following line:

ForwardX11 yes

All X11 data will go through an encrypted channel. The $DISPLAY environment variable set by SSH will point to the remote machine with a port number greater than zero. This is normal, and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over an encrypted channel. The connection to the real X server will be made from the local machine.

Warning

Users should not manually set the $DISPLAY environment variable for X11 forwarding; a non-encrypted channel may be used in this case.

Systems Available to All Projects

OLCF System Hostnames

System Name Full Hostname Hostkey Fingerprints
Home (machine) home.ccs.ornl.gov
  • RSA MD5: ba:12:46:8d:23:e7:4d:37:92:39:94:82:91:ea:3d:e9
  • RSA SHA256: FjDs4sRAX8hglzA7TVkK22NzRKsjhDTTTdfeEAHwPEA
  • ECDSA MD5: 8a:92:0f:31:4d:38:2d:2c:ec:7d:53:ce:8b:46:73:d6
  • ECDSA SHA256: 0hc6SDou8vauFWgOaeXKUmhDSmKK8roj9jWpapV4qzc
Data Transfer Nodes dtn.ccs.ornl.gov
  • RSA MD5: d1:c5:84:5b:88:d3:0e:81:33:a7:c2:5f:8a:09:b2:7f
  • RSA SHA256: xAIWJhey/RCjetTR4Hll2GNE9WwCNrMUEOdyDhIeHeE
  • ECDSA MD5: bd:52:af:c3:8b:ad:a3:30:4f:28:75:9c:79:84:68:cd
  • ECDSA SHA256: ITEbdZ0ddYNJJehefOh+/0JMgSvHwClpr+P+kak58Xc
Summit summit.olcf.ornl.gov
  • RSA MD5: 08:d0:fe:3f:f3:41:96:9c:ae:73:73:a8:92:6c:79:34
  • RSA SHA256: nA7X4qyPvtEpXWxG5MDeXEC8xfpmm0UMiLq/LkgM33I
  • ECDSA MD5: cf:32:f9:35:fd:3f:2a:0f:ed:d3:84:b1:2d:f0:35:1b
  • ECDSA SHA256: m0iF9JJEoJu6jJGA8FFbSABlpKFYPGKbdmi25rFC1AI
SummitDev summitdev.ccs.ornl.gov
  • RSA MD5: 47:4a:ae:30:be:ff:55:87:b8:c1:33:a2:34:3a:00:16
  • RSA SHA256: qlOwMg8uFFZqRYvrasGNHuutditwOFU/ydXcDNciJHs
  • ECDSA MD5: 61:12:39:7d:3f:09:0e:d6:38:63:35:a2:cc:d0:f9:44
  • ECDSA SHA256: LFmcA7m6BIMjTyrNnQGkgwxTK9QQkjud20wVn4QNDlQ
Rhea rhea.ccs.ornl.gov
  • RSA MD5: 17:4a:49:f8:37:e2:1b:7c:b5:23:b3:5c:64:3a:c5:07
  • RSA SHA256: R9/5L+ZQ9+pR/jThxbLmmmxBtxRfVt3MsEGPEhv1uTQ
  • ECDSA MD5: e4:a4:b4:4a:24:bf:53:e0:9a:c4:10:9f:9f:3a:ec:f4
  • ECDSA SHA256: F92QU1abt3tN2cgYwONJla0MoyV0srD3mNoyoFe5Cxo

Occassionally, you may receive an error message upon logging in to a system such as the following:

@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

This can be a result of normal system maintenance that results in a changed RSA public key, or could be an actual security incident. If the RSA fingerprint displayed by your SSH client does not match the OLCF-authorized RSA fingerprint (shown in the table above) for the machine you are accessing, do not continue authentication; instead, contact help@olcf.ornl.gov.

Checking System Availability

The OLCF home page includes a current status listing and scheduled downtimes for our major compute and storage resources. This information also has a dedicated Center Status page.