Secure Shell (SSH), is the main login method for LC systems and all OCF and SCF production machines use the OpenSSH implementation. SSH includes SCP or SFTP for file transfers between hosts. For more information on using SSH and SCP, SSH access modes, RSA authentication, and how-tos, see the Secure Shell section of the Introduction to Livermore Computing Resources.

Windows users can connect from the cmd.exe prompt, or similar command-line terminal software. If intending to run a GUI application, it is recommended that users access via VNC. LC also supports the X-Win32 application, which allows both command-line and GUI access.

Currently, LC requires all SSH access to be compatible with SSH protocol 2.

For February 2023 changes to git-over-ssh, see https://hpc.llnl.gov/technical-bulletins/bulletin-552

Using SSH

Connecting to an LC system using ssh opens up a linux terminal - a text-based interface allowing users to interact with the remote system by typing commands.

Mac and Linux users

• SSH is included on Mac and Linux platforms
• Can simply be used from a terminal window command line. Examples:

ssh joeuser@dane.llnl.gov
ssh -l joeuser elcap.llnl.gov

Windows PC users

We recommend using Xwin32 or VNC Viewer to connect to LC systems. For more information see the following documentation:

• Xwin32: https://hpc.llnl.gov/documentation/user-guides/accessing-lc-systems#con…
• VNC Viewer: https://hpc.llnl.gov/software/visualization-software/vnc-realvnc

Windows 10 provides an OpenSSH SSH client, which can be used from a Command Prompt window or PowerShell window. Note that you will probably need to specify the MAC (authentication) type. If you choose to `ssh` from the command line, you might use the following syntax

ssh -m hmac-sha2-256 username@quartz.llnl.gov
ssh -m hmac-sha2-512 -l username sierra.llnl.gov

To avoid the need to enter a MAC type each time, simply create a C:\Users\username\.ssh\config file and add the following line to it:

MACs hmac-sha2-256,hmac-sha2-512

X11 Terminals

For an X client (such as the TotalView debugger) to display on an X-display server (such as your X terminal or workstation), the client must be authorized to connect to the server. XAUTH offers an alternative way to manage this authorization.

LC clusters run TOSS, which supports 4 X11-compatible terminals: xterm, xfce4, gnome, and mate. Users often find X11 terminals to be useful tools for interacting with LC systems. They can only be used in conjunction with the user's X11 desktop server, as they are X11 client programs.

• xterm -very basic X11 terminal with limited functionality. Invoked by typing "xterm" from Linux terminal.
• xfce4 terminal - X11 terminal with many user-customizable features. Invoked by typing "xfce4-terminal" from Linux terminal. This is the default X11 terminal for LC's VNC desktop.
• gnome terminal - another X11 terminal with many user-customizable features. Invoked by typing "dbus-launch gnome-terminal" from Linux terminal, or doing "dbus-update-activation-environment --all", then "gonme-terninal".
• Mate terminal - another X11 terminal with many user-customizable features. Invoked by typing "mate-terminal" from Linux terminal.

Troubleshooting

SSH Timeouts

• If you find that your sessions are being disconnected too quickly due to lack of keyboard interaction try either of the following:
• Use the two options below with your ssh command:

-o ServerAliveInterval=60 -o ServerAliveCountMax=30

• Create a .ssh/config file and include the two lines below in it:

ServerAliveInterval=60
ServerAliveCountMax=30

SSH and X11

There are two ways to run graphical applications on LC systems, you can either connect via VNC or have X11 setup on your desktop.

X11 is a system tool that provides a method for users to display computer output (usually graphical) from a remote computer locally on the desktop. X11 uses a server - an application that runs on your local desktop,  such as X-Win 32 (Windows 11) or XQuartz (Mac OS) and a client - a program that runs on the remote computer, such as "xterm".

• Linux: usually automatic - nothing special needs to be done in most cases
• Macs: you'll need X server software installed. For LLNL computers, XQuartz (www.xquartz.org/) should be available from the software catalog.
• Windows: you'll need X server software installed. LLNL provides X-Win32, which can be downloaded/installed from your desktop's Ivanti Management software. Xming is a popular, free X server available for non-LLNL systems.
• Helpful Hints:
  • Make sure your X server is setup to allow tunneling/forwarding of X11 connections BEFORE you connect to the LC host.
  • Often, you need to supply the -X or -Y flag to your ssh command to enable X11 forwarding.
  • May also try setting the two parameters below in your .ssh/config file:

ForwardX11=yes
ForwardX11Trusted=yes

• Use the verbose option to troubleshoot problems:

ssh -v [other options] [host]

Setting Up SSH Keys

Secure Shell (SSH) is used to make a secure connection to LC's production machines. By setting up SSH keys, you can access LC production machines using passwordless authentication. When using SSH keys to access LC systems, you must first authenticate into the LC network with an approved two-factor authentication method.

By default, SSH will authenticate in secure password mode (i.e., when host1 does an SSH to host2 and is prompted for a userid and password, the information will be sent in encrypted form to host2). That way, passwords cannot be "sniffed" or sent "clear text" over the network.

One of the features of SSH is that it allows you to bypass this usual login method (userid/password) by setting up RSA authentication keys.

The RSA key authentication methods allow you to optionally:

• Improve security even more by requiring a login passphrase, which can be much longer than a typical UNIX password.
• Relax the need to enter a userid/password. Obviously, there are known security risks with this convenience.

Creating an RSA key with OpenSSH on an LC system

The following commands will setup an SSH key for use within LC systems. Users should create a separate key for any external systems (such as a local laptop or desktop system).

1. Run the command: ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
   1. This will create a key, which is stored in the files ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key). This key does not have a passphrase.
2. Run the command: ssh-copy-id `hostname`
   1. This will install the key in the current LC zone, allowing password-less connections to other systems in the same zone.

For a more in-depth treatment of configuring SSH to connect to LC systems, check out this internal webpage on the subject (on-site/VPN required).