On March 1, 2023, improvements were made which alter how open-side connections with SNL and LANL are performed. This is part of the ongoing Remote Computing Enablement (RCE) effort to improve the user experience for our customers at our sister NNSA laboratories as well as LLNL users computing at remote laboratories.
The most recent change was LC establishing trust with the new HPC Kerberos realm at LANL. This means that LANL and LLNL restricted unclassified users (LLNL RZ and LANL RE) can ssh passwordlessly across these networks with a Kerberos credential from their local site. It also means users in the LLNL RZ can ssh into the LANL RE in the same fashion. This completes the capability upgrade such that LC’s RZ now accepts LANL credentials for both ssh and web access, meaning LANL users will no longer need RZ RSA tokens.
Our hope is to extend this same capability to Sandia. Until that is completed, there are some additional user impacts.
User Impacts
- Users wishing to transfer data from the CZ to LANL or SNL will need to use a “pull” from the LANL/SNL host rather than a “push” operation from the CZ host. E.g., “scp lassen:/tmp/example.txt /tmp/example.txt” from a tri-lab host, rather than “scp /tmp/example.txt ihpc-gate:/tmp/example.txt” from a CZ host.
- CZ users wishing to use git to interact with a LANL or SNL repo will need to use git-over-https.
- Users who previously accessed LANL or SNL resources via Kerberos + SSH on the CZ will now need to either do that operation on the RZ, or else use a different access path such as git-over-https.