Access Prerequisites

Follow this table to determine what is needed to access classified (SCF), unclassified Collaboration Zone (OCF-CZ) and unclassified Restricted Zone (OCF-RZ) Livermore Computing (LC) systems.

Going to 

SCF

OCF-CZ

OCF-RZ

Coming from 

LLNL

LANL/
Sandia

Other DOE

LLNL

LANL/
Sandia

Other
DOE

LLNL

LANL

Sandia

Other
DOE

Valid account on the LC machine(s) you wish to use (see the Accounts Web pages)
X
X
X
X
X
X
X
X
X
X
Network connectivity from your local machine to the LC OCF or SCF network
X
X
X
X
X
X
X
X
X
X
SSH (protocol 2) software installed on your local machine (see Using SSH)
X
X
X
X
X
X
X
X
X
X
LLNL RSA token + PIN
X

 

X
X

 

X

 

 

 

 

RZ RSA token + PIN

 

 

 

 

 

 

X
 
X
X
Virtual Private Network (VPN) account + VPN software  

 

 

 

 

 

 

 

 
X
Ability to authenticate locally with credential forwarding (kinit -f)*

 

X

 

 

X

 

X
X
 

 

* LANL/Sandia users can access LC machines on the SCF, CZ and RZ using their local credentials. See the instructions under the Logging In to LLNL Machines.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or an LC CZ/RZ machine.

Available Resources

LC provides unclassified Open Computing Facility (OCF) and classified Secure Computing Facility (SCF) high performance computing (HPC) resources.

Most information about Los Alamos HPC and Sandia HPC resources requires LANL/Sandia authentication. Request access through Sarape.

OTP (One-Time Passwords, a.k.a. Tokens) for CZ, RZ, and SCF

OCF and SCF users (except for LANL and Sandia on the SCF) authenticate using a PIN and an LLNL RSA token/one-time password (OTP). Additionally, OCF RZ users require a PIN and a RZ RSA token passcode. The LC Hotline will send you an LLNL RSA token and/or RZ RSA token when you are given an account. When you receive your LLNL RSA/RZ RSA token, you must enable it before you can log in. Instructions are provided with your account notification e-mail.

The same RSA token is used for both CZ and SCF; however, a different PIN is used for each network. RSA token information can also be found on One-Time Password Toolkit page, including token diagnostics and testing.

For specifics on using a RZ RSA token, refer to Technical Bulletin 513, RZ Token and Login Behavior Change. From the RZ Token Self-Help Website, you may change your PIN or resync your RZ RSA token.

SSH and VPN Access

Using SSH to Access LC Machines

Secure Shell (SSH), is the only login method for LC systems. SSH includes SCP or SFTP for file transfers between hosts. For more information on SSH and SCP, SSH access modes, RSA authentication, and how-tos, see the Secure Shell section of the Introduction to Livermore Computing Resources.

Consult the directions for Connecting to LC Machines with X-Win32 for first-time setup and routine connections via X-Win32 on a Windows PC.

Use the Setting Up SSH Keys guide if you want to access LC production machines using passwordless authentication (only permitted between LC machines)

Currently, LC requires all SSH access to be compatible with SSH protocol 2.

For February 2023 changes to git-over-ssh, see https://hpc.llnl.gov/technical-bulletins/bulletin-552

Virtual Private Network (VPN) Access

VPN access is provided for off-site, unclassified access to LC RZ machines. It is required for the following types of access:

  • Employees at home, on travel, or working off-site.
  • Non-employees and collaborators (such as the ASC Alliances) who are physically located outside of LLNL, while using RZ systems.
  • LANL and Sandia users when they are not physically at their lab.

Connecting to LC Machines with X-Win32

The instructions below show how to setup an X-Win32 connection to LC machines.

X-Win32 can be installed on LLNL Windows systems via the LANDesk Software Portal. For assistance with license keys, see the answers.llnl.gov article "How to: Manually add license to X-Win32"
1. Click on the Windows Start Logo, start typing "x-win32" and click on the X-Win32 Desktop app.

2. The X-Win32 Configuration dialog box (below) should appear. Make sure that you are on the "Connections" tab. Then click the "Manual" button to setup a connection. Note: You can also select the Wizard button to be led through the process step by step.

X-Win32 Configuration dialog box window, screenshot
X-Win config window

3. A Connection Method dialog box will appear. Select "ssh" and then Next.

Connection Method dialog box window, screenshot
Connection Method dialog box

4. In the New Connection dialog box, setup your connection.

Connection Name: the name you want to call this connection - usually the name of the machine
Host: the actual name of the machine - including the .llnl.gov suffix is needed if you are connecting from outside the LLNL domain
Login: your LC username
Command: /usr/bin/xterm - your choice of xterm options - see man page.
Password: leave blank
Confirm Password: leave blank

Then click the Save button.

New Connection Method dialog box window, screenshot
New Connection dialog box

5. You should now see your new connection in the X-Win32 Configuration dialog box. If not, click the My Connections toggle to expand the list. Then select your connection and click the Launch button.

new connection in the X-Win32 Configuration dialog box window, screenshot
X-Win32 Configuration dialog box

6. You may see the Update Host Key dialog box. Click the Accept button to proceed.

Update Host Key dialog box window, screenshot
Update Host Key dialog box.

7. When prompted for a password, enter your LC PIN + OTP token passcode combination.

password window, screenshot
Password dialog

8. If all went well, you should then see a terminal window appear and you will be logged into the machine for this connection.

terminal window, screenshot
terminal window

Setting Up SSH Keys

Secure Shell (SSH) is used to make a secure connection to LC's production machines. By setting up SSH keys, you can access LC production machines using passwordless authentication. Use of SSH keys is only permitted between LC machines and not from outside the LC network or from desktop office machines.

By default, SSH will authenticate in secure password mode (i.e., when host1 does an SSH to host2 and is prompted for a userid and password, the information will be sent in encrypted form to host2). That way, passwords cannot be "sniffed" or sent "clear text" over the network.

One of the features of SSH is that it allows you to bypass this usual login method (userid/password) by setting up RSA authentication keys. 

The RSA key authentication methods allow you to optionally:

  • Improve security even more by requiring a login passphrase, which can be much longer than a typical UNIX password.
  • Relax the need to enter a userid/password. Obviously, there are known security risks with this convenience.

Creating RSA keys with OpenSSH is a one-time process that can be done as follows:

  1. Execute ssh-keygen -t rsa -b 4096
  2. When prompted, enter a passphrase if you want improved security. If you want the convenience of being able to SSH into other LC OpenSSH machines without entering a userid/password, don't enter anything.
  3. After the command completes, cd to your .ssh file and copy the file that ends in .pub to a file named authorized_keys. This is your public key. For example: cp id_rsa.pub authorized_keys
  4. Because all OCF/SCF machines share the same home directory, you don't need to copy your public key file to each host.
  5. Make sure that your .ssh files are readable only by you.

More about SSH at LC

For a more in-depth treatment of SSH at LC, check out this Confluence page on the subject.

Logging in to LLNL Machines

Login methods vary, depending upon where you are coming from and where you want to go.

CZ systems | RZ systems | CZ web access | RZ web access | SCF systems | SCF web access

The instructions below assume that the Access Prerequisites have been met. All access requires SSH (version 2) as described in Using SSH to Access LC Machines.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or from an LC CZ/RZ machine.

Logging in to LLNL OCF (Unclassified) Collaboration Zone (CZ) Systems

From Inside LLNL

ssh loginmachine
User ID: LC Username
Password: LLNL PIN + LLNL RSA Token

 

CZ Token
From LANL/Sandia

Begin on a LANL/Sandia iHPC login node. 

For example, at LANL start from ihpc-gate1.lanl.gov; at Sandia start from ihpc.sandia.gov.

Make sure you have a valid kerberos credential - use the klist -l command.

If in doubt, get a forwardable kerberos credential by authenticating with the kinit -f command.

Then connect to an LC cluster in the CZ zone using your LC username:

ssh -l lc-username loginmachine.llnl.gov 

No password required

Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command: 

-o ServerAliveInterval=60 -o ServerAliveCountMax=30
From Outside LLNL ssh -l lc-username loginmachine.llnl.gov
User ID: LC Username
Password: LLNL PIN + LLNL RSA token
 
CZ Token

Logging in to LLNL OCF (Unclassified) Restricted Zone (RZ) Systems

From Inside LLNL

ssh loginmachine
User ID: LC Username
Password: PIN + RZ RSA token

 

RZ token
From LANL

Start from ihpc-gate1.lanl.gov

Make sure you have a valid kerberos credential - use the klist -l command.

If in doubt, get a forwardable kerberos credential by authenticating with the kinit -f command.

Execute the reticket command:

[moniker@ihpc-gate1 ~]$ reticket

Need to generate Turquoise Kerberos ticket...

Enter OTP Token Value: < LANL CryptoCard token value >

Then connect to an LC cluster in the RZ zone using your LC username:

ssh -l lc-username loginmachine.llnl.gov 

No password required

Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command: 

-o ServerAliveInterval=60 -o ServerAliveCountMax=30
From Sandia

Start from ihpc.sandia.gov

Connect directly to the RZ login machine using your LC username and RZ credentials:

ssh -l lc_username loginmachine.llnl.gov

Password: PIN + RZ RSA token

RZ Token

Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command:
   -o ServerAliveInterval=60 -o ServerAliveCountMax=30

From Outside LLNL

Start VPN

NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/
ssh -l lc-username loginmachine.llnl.gov
Password: RZ PIN + RZ RSA token

RZ token

Logging in to LC.llnl.gov Web : Confluence / Jira / GitLab

From Inside LLNL

User ID: OUN
Password: LLNL PIN + LLNL RSA token

CZ Token

CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

Image
Screenshot of CZ login panel
New CZ login window

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Image
Screenshot of username submission panel
New identity selection window

 

MyLC and JupyterHub currently require a separate authentication using LC Username and LLNL PIN + LLNL RSA token.

From LANL/Sandia

New login page will have a OneID button which leads to local site's OneID page allowing authentication with site MFA.

Image
Screenshot of CZ login panel
New login page

CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Image
Screenshot of username submission panel
New identity selection window

 

From Outside LLNL

Browse to lc.llnl.gov, you'll need to log in to a "pre-login" page first, and then the LC login page itself. Both use your OUN + LLNL RSA token.

User ID: OUN
Password: PIN + LLNL RSA token

 

CZ Token

Logging into RZLC.llnl.gov Web : Confluence / Jira / GitLab

From Inside LLNL or Sandia

User ID: OUN
Password: PIN + RZ RSA token

 

Image
RZ token
RZ Token

 

Image
Screenshot of RZ login panel
New login panel
From LANL

New login page will have button pointing to LANL's OneID page, allowing authentication with LANL MFA.

 

Image
Screenshot of RZ login panel
New login panel
From Outside LLNL

Start VPN

NOTE If unfamiliar with how to VPN, see: https://access.llnl.gov/vpn/

After VPN has been initiated, login to RZ.llnl.gov:

User ID: LC Username
Password: RZ PIN + RZ RSA token

RZ token

Logging into LLNL SCF (Classified) Systems

From Inside LLNL ssh loginmachine
User ID: LC Username
Password: SCF PIN + LLNL RSA token
 
CZ Token
From LANL

Connect to the classified HPC system, redcap.

Run kinit -f

Then ssh to an LC cluster using your LC username:

ssh -l lc-username loginmachine.llnl.gov
No password required

From Sandia

Connect to local, classified HPC system

Run kinit -f

Then ssh to an LC cluster using your LC username:

ssh -l lc-username loginmachine.llnl.gov
No password required

Other DOE Sites ssh loginmachine.llnl.gov
User ID: LC Username
Password: SCF PIN + LLNL RSA token
 
LLNL RSA Token

  or
Static SCF password

Logging into SCF Web / Atlassian 

From LLNL

User ID: LC Username
Password: LLNL SRD PIN + LLNL RSA token

 

CZ Token
From LANL/Sandia

LANL users: authenticate with your

lanl-username@lanl.gov

and your LANL secure CryptoCard password.


Sandia users: authenticate with your

sandia-username@dce.sandia.gov

and your Sandia secure CryptoCard password.

NOTE: If you are logging in to GitLab, LANL/Sandia users need to use their LC Username, rather than their local username. You will still use your LANL/Sandia CryptoCard password.

From Outside of Tri-Labs

User ID: LC Username
Password: LLNL SRD PIN + LLNL RSA token

CZ Token

Login Nodes

Whenever you log in to an LC system, you are placed onto a login node. These nodes are dedicated to serving interactive activities such as file editing, launching batch jobs, compiling, file transfer, debugging, and other short duration activities. At any one time, there may be multiple users on a login node.

These nodes should not be used to run parallel and/or production jobs! By doing so, you may seriously degrade the performance of others' interactive work. Be sure to use nodes designated for interactive or batch production work to run jobs.

For more information about the differences between login nodes and nodes designated for production work, please see the Login Nodes section of the "Introduction to Livermore Computing Resources" tutorial and the Running Jobs page on this HPC site.

Logging Into LANL/Sandia Machines

Classified systems: both LANL and Sandia classified Tri-lab systems support Kerberos passwordless SSH access from LLNL.
Unclassified systems: access methods vary between Sandia and LANL.
Please consult the Sandia Access Instructions or the LANL Access Instructions for details.

File Transfers

Files may be transferred using Hopper, SCP, FTP, SFTP, NFT, HSI, or HTAR.  For more details, see the File Transfer and Sharing section of Introduction to Livermore Computing Resources.

Miscellaneous Access Topics

X Terminal Control
For an X client (such as the TotalView debugger) to display on an X-display server (such as your X terminal or workstation), the client must be authorized to connect to the server. XAUTH offers an alternative way to manage this authorization.

Remote Access
An approved Remote Access Request is required for U.S. citizen collaborators (non-LLNL collaborators sponsored by an LLNL employee) for the following remote access accounts: VPN-C, VPN, VPN-B. Requests for remote access are made through the EZid Identity Management System.

Foreign Nationals at LLNL
There are additional access policies and restrictions for Foreign Nationals. See Foreign Nationals at LLNL for details.

Shared Office Facilities
Shared office facilities provided by Livermore Computing are available in Building 453 (authenticated users can visit Shared Office Policies on myconfluence.llnl.gov for specifics of location and policies). The shared offices have workstations that permit access to both the classified (SCF) and unclassified (OCF) networks. They are intended for users that do not have access to the SCF network from their own offices and need a temporary location from which to work. OCF network access is provided primarily as a convenience. For general information regarding access to and use of the shared office facilities, contact the LC Hotline at lc-support@llnl.gov or 422-4531.

Additional Information