Access Information

Access Prerequisites | Available Resources | Passwords | Using SSH to Access LC Machines
Virtual Private Network (VPN) Access | Logging In to LLNL Machines | Login Nodes
Logging in to LANL/Sandia Machines | File Transfers | Miscellaneous Access Topics | Additional Information

Access Prerequisites

Follow this table to determine what is needed to access
classified (SCF), unclassified Collaboration Zone (OCF-CZ)
and unclassified Restricted Zone (OCF-RZ)
Livermore Computing (LC) systems.
Going to =>



Coming from =>
SCF OCF-CZ OCF-RZ
Valid account on the LC machine(s) you wish to use (see the Accounts Web pages) X X X X X X X X X
Network connectivity from your local machine to the LC OCF or SCF network X X X X X X X X X
SSH (version 2) software installed on your local machine (see Using SSH below) X X X X X X X X X
One-time Password (OTP) token + PIN (see Passwords below) X   X X   X X   X
CRYPTOCard token + PIN (see Passwords below)             X X X
Virtual Private Network (VPN) account + VPN software (see VPN Access below)                 X
Ability to authenticate locally with credential forwarding (kinit -f) *   X     X     X  

* LANL/Sandia users can access LC machines on the SCF, CZ and RZ using their local credentials. See the instructions under the Logging In to LLNL Machines table below.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or an LC CZ/RZ machine.

Available Resources

LC provides unclassified Open Computing Facility (OCF) and classified Secure Computing Facility (SCF) high performance computing (HPC) resources.

Most information about Los Alamos HPC and Sandia HPC resources requires LANL/Sandia authentication. See Tri-Lab High-Performance Computing Support for authentication instructions.

Passwords

One-Time Passwords

OCF and SCF users (except for LANL and Sandia on the SCF) authenticate using a PIN and a one-time passowrd (OTP) token passcode. Additionally, OCF RZ users require a PIN and a CRYPTOCard token passcode. The LC Hotline will send you a RSA SecureID and/or CRYPTOCard token when you are given an account. When you receive your RSA/CRYPTOCard token, you must enable it before you can log in. Instructions are provided with your account notification e-mail.

The same RSA token is used for both CZ and SCF; however, a different PIN is used for each network. RSA token information can also be found on One-Time Password Toolkit page. including token diagnostics or Testing.

For specifics on using a CRYPTOCard, refer to Technical Bulletin 475, Improved CRYPTOCard Features. From the CRYPTOCard Self-Help Web site, you may change your PIN or resync your CRYPTOCard token.

Using SSH to Access LC Machines

Secure Shell (SSH), is the only login method for LC systems. SSH includes SCP or SFTP for file transfers between hosts. For more information on SSH and SCP, SSH access modes, RSA/DSA authentication, and how-tos, see the Secure Shell section of the Introduction to Livermore Computing Resources.

Consult the directions for Configuring X-Win32 for SSH Connections to LC Machines for first-time setup and routine connections via X-Win32 on a Windows PC.

The Using PuTTY guide is available on the LLNLWiki if you need instructions on how to access LC systems with PuTTY.

Use the Setting Up SSH Keys guide if you want to access LC production machines using passwordless authentication (only permitted between LC machines)

Currently, LC requires all SSH access to be compatible with SSH version 2.

Virtual Private Network (VPN) Access

VPN access is provided for off-site, unclassified access to LC RZ machines. It is required for the following types of access:

  • Employees at home, on travel, or working off-site.
  • Non-employees and collaborators (such as the ASC Alliances) who are physically located outside of LLNL, while using RZ systems.
  • LANL and Sandia users when they are not physically at their lab.

Logging In to LLNL Machines

Login methods vary, depending upon where you are coming from and where you want to go. The instructions below assume that the Access Prerequisites have been met. All access requires SSH (version 2) as described in Using SSH to Access LC Machines.

Accessing the Collaboration and Restricted Zones offers tips for accessing the CZ and RZ from your desktop or from an LC CZ/RZ machine.

LLNL OCF (Unclassified) Collaboration Zone Systems
From Inside LLNL ssh loginmachine
User ID: LLNL userid
Password: LLNL PIN + OTP
LANL/Sandia Begin on a LANL/Sandia iHPC login node. For example, at Sandia start from ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov.
If not beginning on an iHPC node, then follow the instructions below for "Outside LLNL".
ssh -l llnl-username loginmachine.llnl.gov
No password required
Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command:
   -o ServerAliveInterval=60 -o ServerAliveCountMax=30
Outside LLNL ssh loginmachine.llnl.gov   or   ssh -l llnl-username loginmachine.llnl.gov
User ID: LLNL userid
Password: LLNL PIN + OTP
LLNL OCF (Unclassified) Restricted Zone Systems
From Inside LLNL ssh rzgw
User ID: LLNL userid
Password: LLNL PIN + CRYPTOCard
ssh loginmachine
User ID: LLNL userid
Password: LLNL PIN + OTP
LANL/Sandia Begin on a LANL/Sandia iHPC login node. For example, at Sandia start from ihpc.sandia.gov; at LANL start from ihpc-gate1.lanl.gov.
If not beginning on an iHPC node, then follow the instructions below for "Outside LLNL".
ssh -l llnl-username rzgw.llnl.gov
Password: LLNL PIN + CRYPTOCard
On rzgw:
kinit sandia-username@dce.sandia.gov
or
kinit lanl-username@lanl.gov
Enter Sandia/LANL kerberos password
ssh loginmachine
No password required
Note: If you experience session time-outs due to inactivity, try adding the following two options to your SSH command:
   -o ServerAliveInterval=60 -o ServerAliveCountMax=30
Outside LLNL Start VPN
ssh -l llnl-username rzgw.llnl.gov
Password: LLNL PIN + CRYPTOCard
ssh loginmachine
User ID: LLNL userid
Password: LLNL PIN + OTP
LLNL Internal Web Pages (Unclassified)
From Inside LLNL User ID: LLNL userid
Password: LLNL PIN + OTP
LANL/Sandia Sandia users: authenticate with your sandia-username@dce.sandia.gov and your Sandia kerberos password.
LANL users: authenticate with your lanl-username@lanl.gov and your LANL kerberos password.
Outside LLNL Start VPN
User ID: LLNL userid
Password: LLNL PIN + OTP
LLNL SCF (Classified) Systems
From Inside LLNL ssh loginmachine
User ID: LLNL userid
Password: LLNL PIN + OTP
LANL/Sandia Authenticate locally with credential forwarding (kinit -f) using your LANL/Sandia password
For LANL only: connect to the LANL gateway first: ssh red-wtrw
ssh -l llnl-username loginmachine.llnl.gov
No password required
Other DOE Sites ssh loginmachine.llnl.gov
User ID: LLNL userid
Password: LLNL PIN + OTP
  or
Static SCF password

Login Nodes

Whenever you log in to an LC system, you are placed onto a login node. These nodes are dedicated to serving interactive activities such as file editing, launching batch jobs, compiling, file transfer, debugging and other short duration activities. At any one time, there may be multiple users on a login node.

These nodes should not be used to run parallel and/or production jobs! By doing so, you may seriously degrade the performance of others' interactive work. Be sure to use nodes designated for interactive or batch production work to run jobs.

For more information about the differences between login nodes and nodes designated for production work, please see the Login Nodes section of the "Introduction to Livermore Computing Resources" tutorial and the Running Jobs section of this Computing Web site.

Logging Into LANL/Sandia Machines

Classified systems: both LANL and Sandia classified Tri-lab systems support Kerberos passwordless SSH access from LLNL.
Unclassified systems: access methods vary between Sandia and LANL.
Please consult the Sandia Access Instructions or the LANL Access Instructions for details.

File Transfers

Files may be transferred using Hopper, SCP, FTP, SFTP, NFT, HSI, or HTAR. On some systems, XFTP and XDIR are also available. For more details, see the File Transfer and Sharing section of Introduction to Livermore Computing Resources.

Miscellaneous Access Topics

X Terminal Control
For an X client (such as the TotalView debugger) to display on an X-display server (such as your X terminal or workstation), the client must be authorized to connect to the server. XAUTH offers an alternative way to manage this authorization.

Remote Access
An approved Remote Access Request is required for U.S. citizen collaborators (non-LLNL collaborators sponsored by an LLNL employee) for the following remote access accounts: VPN-C, VPN, OTS, VPN-B. Requests for remote access are made through the EZid Identity Management System.

Foreign Nationals at LLNL
There are additional access policies and restrictions for Foreign Nationals. See Foreign Nationals at LLNL for details.

Shared Office Facilities
Shared office facilities provided by the Integrated Computing and Communications Department (ICCD) are available in Building 453, Rooms 2140 and 2142. The shared offices have workstations that permit access to both the classified (SCF) and unclassified (OCF) networks. They are intended for users that do not have access to the SCF network from their own offices and need a temporary location from which to work. OCF network access is provided primarily as a convenience. For general information regarding access to and use of the shared office facilities, contact the LC Hotline at lc-support@llnl.gov or 422-4531.

Additional Information

Top