TeraGrid [ User Support: Access: SSH/GSI-SSH ]

Learn About the TeraGrid

TeraGrid News

Education & Training

Science Gateways

User Support & Documentation

	User Support & Documentation
	Resize This Text A A A Using SSH/GSI-SSH on the TeraGrid Home > User Support > Access > SSH/GSI-SSH On this page Logging in using SSH (general syntax) SSH with key pairs Site-specific login instructions Using GSI-enabled SSH Related Links Accessing TeraGrid Overview Your Accounts (My TeraGrid tab in Portal) List of Resources (Resource Catalog) Log on to Individual Resources Teragrid User Portal SSO from TeraGrid Command Line SSO from your Desktop (Windows) SSO from Your Desktop (Linux/Mac OSX) SSO for non-Default Certificates Understanding Authentication on the TeraGrid SSH Web site Need Help? Phone Toll-free 1.866.907.2383 Submit a Ticket (online form -- fastest) Submit a Ticket via email TeraGrid Knowledge Base Once you obtain your allocation award, the first thing you'll need to know is how to log in to the TeraGrid. Whether you log in to a single compute resource or data login node, or decide to use Single Sign-on to access multiple resources from the command line, you'll be using some form of Secure Shell version 2 (ssh). For logging in to a single resource, you'll need the hostname of the target machine (list of hostnames), the username that came in your account information packet and the password for that resource or a public key that you generate. See the sections below on syntax for using a password or the procedure for setting up authentication with key pairs. To find a hostname, go to the "Compare compute resources" page in the TeraGrid Resources Catalog page. Under A., select the name of the resource you wish to see, and under B., select the "Host Name" checkbox. All TeraGrid resources require SSH version 2. Please make sure your SSH client supports this version. Syntax for Authenticating with SSH Password All TeraGrid sites use SSH version 2. The general syntax for logging in using SSH is: ssh <username>@<hostname> or ssh -l <username> <hostname> For many sites, the hostname takes the form: tg-login<n>@<site-specificname>.teragrid.org List of hostnames The commands above work for logging in to a TeraGrid machine from a non-TeraGrid machine or between TeraGrid machines. Please note: if you experience problems with ssh, make sure that the .ssh/config file has been removed or renamed. The requirement for this file has changed due to changes in ssh as of 3/15/2004. SSH with Key Pairs and Passphrase To set up for ssh login using key pairs, you must generate an ssh key pair on the machine from which you will be logging on to the TeraGrid site of choice. The PRIVATE key of that pair will remain in a secure location on your machine of origin. The PUBLIC key of the pair must be moved to the proper location on the TeraGrid machine. You must request by email to have the PUBLIC key added to your account at each site. Generate a key pair consisting of ~/.ssh/id_rsa (the private key; keep it private and do not send it to anyone) and ~/.ssh/id_rsa.pub (the public key): On a UNIX machine, run 'ssh-keygen.' If asked to supply -t <type>, use ssh-keygen -t rsa. Use the default file name (~/.ssh/id_rsa). Enter a passphrase when prompted; follow the guidelines for picking a good password in general. Unlike UNIX passwords in which (at least in many UNIXes) only the first eight characters are really used, ssh passphrases can be any length, and the longer the better. Remember this passphrase. Add your keys to the ssh-agent's memory via 'ssh-add', followed by your passphrase Send an email request to have your ssh public key added to help@teragrid.org, with the subject line "Attn: <sitename> Account Management". In the body, include your phone number and a note saying that you wish your public key to be added. Someone from support at that site will contact you and arrange to have your ssh public key installed. Log in to TeraGrid: ssh <username>@tg-login.<sitename>.teragrid.org SSH will prompt you for the passphrase that you used to create the key pair. SSH Instructions for Individual Sites SSH v2 with password: SDSC, NCSA, PSC SSH v2 with public key/passphrase: IU, NCSA, PSC, SDSC, UC/ANL (ETF2 sites to be announced: Purdue \| ORNL \| TACC) TACC As soon as you receive your Account Information Packet from TeraGrid, go to the TACC account activation page to activate your account on TACC systems. Using the login information included in your packet, you will set a new password and specify a security question and answer to be used if you forget your password. You will not be able to login to TACC systems before activating your account. Examples of a command line to log in at TACC: ssh @ranger.tacc.teragrid.org ssh @tg-login.lonestar.tacc.teragrid.org ssh @tg-viz-login.tacc.teragrid.org Use the TACC password change page to change your password on TACC systems. If you forget your password, use the TACC password reset page to reset your password on TACC systems. In order to reset your password, you will need to correctly answer the security question you provided when activating your account at TACC. If you are unable to answer your security question, please contact the Help Desk for further assistance. IU ssh at IU uses public keys for authentication. IU does not giveout passwords for the TeraGrid. See the steps above. In the email request to help@teragrid.org to have your ssh public key added (step 2), use the subject line "Attn: IU Account Management." To log in to IU TeraGrid: ssh <username>@tg-login1.iu.teragrid.org SSH will prompt you for the passphrase that you used to create your key. Note: If you wish to use gsiSSH and Grid Credentials as your initial or only authentication method to the IU cluster (i.e., to bypass initial login with SSH, adding public keys, or using gx-map to have your DN added to the gridmapfile), please e-mail your DN: To: help@teragrid.org Subject: Attn: IU Account Management IU Site Specific information IU FAQ Most of the above login-related information plus MORE (SSH key-gen for Windows SSH/Putty users, etc.) is available here. NCSA As soon as you receive your Account Information Packet from TeraGrid, go to the Kerberos page to change your NCSA password. If this is not done within 30 days of account creation, the account will be disabled and require a Help Desk ticket to reactivate. Example of a command line to log in at NCSA: ssh <username>@tg-login.ncsa.teragrid.org Known issues: 1. Check the <home>/.ssh/known_hosts file of the machine from which you are trying to log in to the TeraGrid. If an entry exists for the NCSA Teragrid login node, remove it and retry your login. You should be allowed to enter your password and will be asked to accept a new key. 2. If you did not change your password within the allowed deadlines after first receiving it (30 days from date of issuance) or having it reset (7 days), your account will be disabled. Contact help@teragrid.org to have your password reset to the default that you received in your packet. You must then change the password at the NCSA Kerberos password change page. PSC PSC uses ssh with the login information included in your original TeraGrid Account Information Packet. ssh <username>@tg-login.rachel.psc.teragrid.org ssh <username>@tg-login.bigben.psc.teragrid.org Use the kpasswd command to change your password on PSC's Teragrid systems, Rachel (rachel.psc.edu) or Big Ben (bigben.psc.edu). Take care in typing login information on Rachel. Too many failed attempts will result in your account being disabled. Then you will have to contact help@teragrid.org to have your password reset. If your password is reset by PSC, it will be set to the default that you received in your packet. If you do not change your password within 30 days of account creation, your account will be disabled. If this occurs, please contact help@teragrid.org to have your password reset to the default that you received in your packet. SDSC Examples using the command line to log in at SDSC: BlueGene ssh <username>@bglogin.sdsc.edu DataStar ssh <username>@dslogin.sdsc.edu IA-64 Cluster ssh <username>@tg-login.sdsc.teragrid.org UC/ANL ssh at UC/ANL uses public keys for authenticationl UC/ANL does not give out passwords for the TeraGrid. See the steps above. In the email request to help@teragrid.org to have your ssh public key added (step 2), use the subject line "Attn: UC/ANL Account Management". To log in to UC/ANL TeraGrid: ssh <username>@tg-login.uc.teragrid.org (for an IA-64 login node) ssh <username>@tg-viz-login.uc.teragrid.org (for an IA-32 viz login node) SSH will prompt you for the passphrase that you used to create your key. Note: If you wish to use gsiSSH and Grid Credentials as your initial or only authentication method to the UC/ANL cluster (i.e., to bypass initial login with SSH, adding public keys, or using gx-map to have your DN added to the gridmapfile), please e-mail your DN: To: help@teragrid.org Subject: Attn: UC/ANL Account Management. For UC/ANL Site Specific information please follow the "Logging In" link at http://www.uc.teragrid.org/tg-docs/ and review the Authentication Policy and SSHv2 Key Guidelines pages. GSI-Enabled SSH (gsissh) The underlying mechanism of GSI-Enabled SSH (gsissh) is the same as ssh; the advantage is that gsissh uses Grid Security Infrastructure (GSI), a part of the Globus Toolkit, to authenticate the user. Once you are set up to use gsissh on the TeraGrid, you will not have to re-enter your password at each site when you are working at multiple TeraGrid sites during one session. This is called Single Sign-on. Furthermore, any other grid middleware component that uses GSI for authentication will not ask for passwords during the same session. In order to use this method, your account must be set up to do so. If you use the default certificate issued for the TeraGrid by the NCSA Certificate Authority (CA), this set up is done for you. If you need to use a certificate issued by another CA, you'll have to do some manual set-up to get your X.509 certificate and your DN entered in the grid-mapfile of each site where you will be computing on the TeraGrid. This setup is done only once. See "Single Sign-on for Users with non-TeraGrid Certificates" for instructions. To begin a grid computing session with gsissh, you must: Log in to a machine where gsissh is located. This is usually your chosen starting resource on the TeraGrid. but can be any resource where you have an allocation. There are also desktop clients available for installation on your local workstation so that authentication may take place locally Create a proxy credential myproxy-logon and your TeraGrid-wide login (TG CA users). See Single Sign-on for Linux/MacOSX Users or Single Sign-on for Windows Users for desktop installation. grid-proxy-init/kinit(PSC) with the passphrase for your X.509 certificate (For set-up see the Single Sign-on for non- default certificates.) Use gsissh to log in to any TeraGrid machine where you have an account. To see a list of login nodes on resources where you have accounts, log in to the User Portal using your TeraGrid-wide login and go to the MyTeraGrid tab. Example of command line to log in to SDSC's cluster: gsissh <username>@tg-login.sdsc.teragrid.org By default, your proxy credential will be valid for 12 hours, so you will typically need to perform this step once per day.

Upper Left Footer

Upper Right Footer

The TeraGrid project is funded by the National Science Foundation and includes 11 partners:
Indiana, LONI, NCAR, NCSA, NICS, ORNL, PSC, Purdue, SDSC, TACC and UC/ANL.

Please email help@teragrid.org with questions or comments.

This site is XHTML 1.0 Transitional, CSS compliant.

Bottom Left Footer

Bottom Right Footer