Access Prerequisites

Follow this table to determine what is needed to access classified (SCF), unclassified Collaboration Zone (OCF-CZ) and unclassified Restricted Zone (OCF-RZ) Livermore Computing (LC) systems.

Going to 

SCF

OCF-CZ

OCF-RZ

Coming from 

LLNL

LANL/
Sandia

Other DOE

LLNL

LANL/
Sandia

Other
DOE

LLNL

LANL/
Sandia

Other
DOE

Valid account on the LC machine(s) you wish to use (see the Accounts Web pages)
X
X
X
X
X
X
X
X
X
Network connectivity from your local machine to the LC OCF or SCF network
X
X
X
X
X
X
X
X
X
SSH (protocol 2) software installed on your local machine (see Using SSH)
X
X
X
X
X
X
X
X
X
LLNL RSA token + PIN
X

 

X
X

 

X

 

 

 

RZ RSA token + PIN

 

 

 

 

 

 

X
X
X
Virtual Private Network (VPN) account + VPN software  

 

 

 

 

 

 

 

X
Ability to authenticate locally with credential forwarding (kinit -f)*

 

X

 

 

X

 

 

X

 

* LANL/Sandia users can access LC machines on the SCF, CZ and RZ using their local credentials. See the instructions under the Logging In to LLNL Machines.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or an LC CZ/RZ machine.

Available Resources

LC provides unclassified Open Computing Facility (OCF) and classified Secure Computing Facility (SCF) high performance computing (HPC) resources.

Most information about Los Alamos HPC and Sandia HPC resources requires LANL/Sandia authentication. Request access through Sarape.

OTP (One-Time Passwords, a.k.a. Tokens) for CZ, RZ, and SCF

OCF and SCF users (except for LANL and Sandia on the SCF) authenticate using a PIN and an LLNL RSA token/one-time password (OTP). Additionally, OCF RZ users require a PIN and a RZ RSA token passcode. The LC Hotline will send you an LLNL RSA token and/or RZ RSA token when you are given an account. When you receive your LLNL RSA/RZ RSA token, you must enable it before you can log in. Instructions are provided with your account notification e-mail.

The same RSA token is used for both CZ and SCF; however, a different PIN is used for each network. RSA token information can also be found on One-Time Password Toolkit page, including token diagnostics and testing.

For specifics on using a RZ RSA token, refer to Technical Bulletin 513, RZ Token and Login Behavior Change. From the RZ Token Self-Help Website, you may change your PIN or resync your RZ RSA token.

SSH and VPN Access

Using SSH to Access LC Machines

Secure Shell (SSH), is the only login method for LC systems. SSH includes SCP or SFTP for file transfers between hosts. For more information on SSH and SCP, SSH access modes, RSA/DSA authentication, and how-tos, see the Secure Shell section of the Introduction to Livermore Computing Resources.

Consult the directions for Connecting to LC Machines with X-Win32 for first-time setup and routine connections via X-Win32 on a Windows PC.

Use the Setting Up SSH Keys guide if you want to access LC production machines using passwordless authentication (only permitted between LC machines)

Currently, LC requires all SSH access to be compatible with SSH protocol 2.

Virtual Private Network (VPN) Access

VPN access is provided for off-site, unclassified access to LC RZ machines. It is required for the following types of access:

  • Employees at home, on travel, or working off-site.
  • Non-employees and collaborators (such as the ASC Alliances) who are physically located outside of LLNL, while using RZ systems.
  • LANL and Sandia users when they are not physically at their lab.

Connecting to LC Machines with X-Win32

The instructions below show how to setup an X-Win32 connection to LC machines.

X-Win32 can be installed on LLNL Windows systems via the LANDesk Software Portal. For assistance with license keys, see the answers.llnl.gov article "How to: Manually add license to X-Win32"
1. Click on the Windows Start Logo, start typing "x-win32" and click on the X-Win32 Desktop app.

2. The X-Win32 Configuration dialog box (below) should appear. Make sure that you are on the "Connections" tab. Then click the "Manual" button to setup a connection. Note: You can also select the Wizard button to be led through the process step by step.

X-Win32 Configuration dialog box window, screenshot

3. A Connection Method dialog box will appear. Select "ssh" and then Next.

Connection Method dialog box window, screenshot

4. In the New Connection dialog box, setup your connection.

Connection Name: the name you want to call this connection - usually the name of the machine
Host: the actual name of the machine - including the .llnl.gov suffix is needed if you are connecting from outside the LLNL domain
Login: your LC username
Command: /usr/bin/xterm - your choice of xterm options - see man page.
Password: leave blank
Confirm Password: leave blank

Then click the Save button.

New Connection Method dialog box window, screenshot

5. You should now see your new connection in the X-Win32 Configuration dialog box. If not, click the My Connections toggle to expand the list. Then select your connection and click the Launch button.

new connection in the X-Win32 Configuration dialog box window, screenshot

6. You may see the Update Host Key dialog box. Click the Accept button to proceed.

Update Host Key dialog box window, screenshot

7. When prompted for a password, enter your LC PIN + OTP token passcode combination.

password window, screenshot

8. If all went well, you should then see a terminal window appear and you will be logged into the machine for this connection.

terminal window, screenshot

Setting Up SSH Keys

Secure Shell (SSH) is used to make a secure connection to LC's production machines. By setting up SSH keys, you can access LC production machines using passwordless authentication. Use of SSH keys is only permitted between LC machines and not from outside the LC network or from desktop office machines.

By default, SSH will authenticate in secure password mode (i.e., when host1 does an SSH to host2 and is prompted for a userid and password, the information will be sent in encrypted form to host2). That way, passwords cannot be "sniffed" or sent "clear text" over the network.

One of the features of SSH is that it allows you to bypass this usual login method (userid/password) by setting up RSA/DSA authentication keys. DSA authentication is used by SSH protocol 2, but both are supported by OpenSSH.

The RSA/DSA key authentication methods allow you to optionally:

  • Improve security even more by requiring a login passphrase, which can be much longer than a typical UNIX password.
  • Relax the need to enter a userid/password. Obviously, there are known security risks with this convenience.

Creating RSA/DSA keys with OpenSSH is a one-time process that can be done as follows:

  1. Execute ssh-keygen -t type where type is either "rsa" or "dsa".
  2. When prompted, enter a passphrase if you want improved security. If you want the convenience of being able to SSH into other LC OpenSSH machines without entering a userid/password, don't enter anything.
  3. After the command completes, cd to your .ssh file and copy the file that ends in .pub to a file named authorized_keys. This is your public key. For example: cp id_dsa.pub authorized_keys
  4. Because all OCF/SCF machines share the same home directory, you don't need to copy your public key file to each host.
  5. Make sure that your .ssh files are readable only by you.

More about SSH at LC

For a more in-depth treatment of SSH at LC, check out this Confluence page on the subject.

Logging in to LLNL Machines

Login methods vary, depending upon where you are coming from and where you want to go.

CZ systems | RZ systems | CZ web access | RZ web access | SCF systems | SCF web access

The instructions below assume that the Access Prerequisites have been met. All access requires SSH (version 2) as described in Using SSH to Access LC Machines.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or from an LC CZ/RZ machine.

LLNL OCF (Unclassified) Collaboration Zone (CZ) Systems

From Inside LLNL

ssh loginmachine
User ID: LC Username
Password: LLNL PIN + LLNL RSA Token

 

CZ Token
From LANL/Sandia

Begin on a LANL/Sandia iHPC login node. 

For example, at LANL start from ihpc-gate1.lanl.gov; at Sandia start from ihpc.sandia.gov.

Make sure you have a valid kerberos credential - use the klist -l command.

If in doubt, get a forwardable kerberos credential by authenticating with the kinit -f command.

Then connect to an LC cluster in the CZ zone using your LC username:

ssh -l lc-username loginmachine.llnl.gov 

No password required

Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command: 

-o ServerAliveInterval=60 -o ServerAliveCountMax=30
From Outside LLNL ssh -l lc-username loginmachine.llnl.gov
User ID: LC Username
Password: LLNL PIN + LLNL RSA token
 
CZ Token

LLNL OCF (Unclassified) Restricted Zone (RZ) Systems

From Inside LLNL

ssh loginmachine
User ID: LC Username
Password: PIN + RZ RSA token

 

RZ token
From LANL/Sandia

Begin on a LANL/Sandia iHPC login node. For example, at LANL start from ihpc-gate1.lanl.gov; at Sandia start from ihpc.sandia.gov

Connect directly to the RZ login machine using your LC username and RZ credentials:

ssh -l lc_username loginmachine.llnl.gov

Password: PIN + RZ RSA token

RZ Token

Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command:
   -o ServerAliveInterval=60 -o ServerAliveCountMax=30

From Outside LLNL

Start VPN

NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/
ssh -l lc-username loginmachine.llnl.gov
Password: RZ PIN + RZ RSA token

RZ token

LC.llnl.gov Web / Atlassian Access

From Inside LLNL

User ID: LC Username
Password: LLNL PIN + LLNL RSA token

 

CZ Token
From LANL/Sandia

LANL users: authenticate with your

lanl-username@lanl.gov

and your LANL CryptoCard password.

Sandia users: authenticate with your

sandia-username@dce.sandia.gov

and your Sandia CryptoCard password.

NOTE: If you are logging in to GitLab, LANL/Sandia users need to use their LC Username, rather than their local username. You will still use your LANL/Sandia CryptoCard password.

From Outside LLNL

Browse to lc.llnl.gov, you'll need to log in to a "pre-login" page first, and then the LC login page itself. Both use your LC Username + LLNL RSA token.

User ID: LC Username
Password: PIN + LLNL RSA token

 

CZ Token

RZLC.llnl.gov Web / Atlassian Access

From Inside LLNL User ID: LC Username
Password: PIN + RZ RSA token
Image
RZ token
From LANL/Sandia

Begin on a LANL/Sandia iHPC login node. For example, at LANL start from ihpc-gate1.lanl.gov; at Sandia start from ihpc.sandia.gov

Recommended: start your web browser (Firefox) on the iHPC node for better performance. If you start a browser on an LC RZ machine, the X11 display coming back to LANL/Sandia is slower.

Access the RZ web page of interest, such as:
rzlc.llnl.gov
rzlc.llnl.gov/confluence
rzlc.llnl.gov/gitlab
rzmylc.llnl.gov

When prompted for authentication use your LC username and RZ RSA pin + token.

From Outside LLNL

Start VPN

NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/

After VPN has been initiated, login to RZ.llnl.gov:

User ID: LC Username
Password: RZ PIN + RZ RSA token

RZ token

LLNL SCF (Classified) Systems

From Inside LLNL ssh loginmachine
User ID: LC Username
Password: SCF PIN + LLNL RSA token
 
CZ Token
From LANL

Connect to the classified HPC system, redcap.

Run kinit -f

Then ssh to an LC cluster using your LC username:

ssh -l lc-username loginmachine.llnl.gov
No password required

From Sandia

Connect to local, classified HPC system

Run kinit -f

Then ssh to an LC cluster using your LC username:

ssh -l lc-username loginmachine.llnl.gov
No password required

Other DOE Sites ssh loginmachine.llnl.gov
User ID: LC Username
Password: SCF PIN + LLNL RSA token
 
LLNL RSA Token

  or
Static SCF password

SCF Web / Atlassian Access

From LLNL

User ID: LC Username
Password: LLNL SRD PIN + LLNL RSA token

 

CZ Token
From LANL/Sandia

LANL users: authenticate with your

lanl-username@lanl.gov

and your LANL secure CryptoCard password.


Sandia users: authenticate with your

sandia-username@dce.sandia.gov

and your Sandia secure CryptoCard password.

NOTE: If you are logging in to GitLab, LANL/Sandia users need to use their LC Username, rather than their local username. You will still use your LANL/Sandia CryptoCard password.

From Outside of Tri-Labs

User ID: LC Username
Password: LLNL SRD PIN + LLNL RSA token

CZ Token

Login Nodes

Whenever you log in to an LC system, you are placed onto a login node. These nodes are dedicated to serving interactive activities such as file editing, launching batch jobs, compiling, file transfer, debugging, and other short duration activities. At any one time, there may be multiple users on a login node.

These nodes should not be used to run parallel and/or production jobs! By doing so, you may seriously degrade the performance of others' interactive work. Be sure to use nodes designated for interactive or batch production work to run jobs.

For more information about the differences between login nodes and nodes designated for production work, please see the Login Nodes section of the "Introduction to Livermore Computing Resources" tutorial and the Running Jobs page on this HPC site.

Logging Into LANL/Sandia Machines

Classified systems: both LANL and Sandia classified Tri-lab systems support Kerberos passwordless SSH access from LLNL.
Unclassified systems: access methods vary between Sandia and LANL.
Please consult the Sandia Access Instructions or the LANL Access Instructions for details.

File Transfers

Files may be transferred using Hopper, SCP, FTP, SFTP, NFT, HSI, or HTAR.  For more details, see the File Transfer and Sharing section of Introduction to Livermore Computing Resources.

Miscellaneous Access Topics

X Terminal Control
For an X client (such as the TotalView debugger) to display on an X-display server (such as your X terminal or workstation), the client must be authorized to connect to the server. XAUTH offers an alternative way to manage this authorization.

Remote Access
An approved Remote Access Request is required for U.S. citizen collaborators (non-LLNL collaborators sponsored by an LLNL employee) for the following remote access accounts: VPN-C, VPN, VPN-B. Requests for remote access are made through the EZid Identity Management System.

Foreign Nationals at LLNL
There are additional access policies and restrictions for Foreign Nationals. See Foreign Nationals at LLNL for details.

Shared Office Facilities
Shared office facilities provided by Livermore Computing are available in Building 453 (authenticated users can visit Shared Office Policies on myconfluence.llnl.gov for specifics of location and policies). The shared offices have workstations that permit access to both the classified (SCF) and unclassified (OCF) networks. They are intended for users that do not have access to the SCF network from their own offices and need a temporary location from which to work. OCF network access is provided primarily as a convenience. For general information regarding access to and use of the shared office facilities, contact the LC Hotline at lc-support@llnl.gov or 422-4531.

Additional Information