System Access

Overview

Logging into the HPC supercomputers starts with your UArizona NetID and password with two-factor authentication enabled. This section is intended to provide you with instructions on getting terminal access to the system from your specific OS, how to log into the system from our web interface (Open OnDemand), how to set up X11 (image) forwarding, and how to configure your account to allow for a password-less login with SSH keys.

If you experience any problems, refer to our FAQ page which provides some solutions to common problems.

Web Access

Open OnDemand

Browser TerminalVirtual Desktop

Users can gain command line access to HPC through our OOD web interface as an alternative to using a local SSH Client. To use this interface:

1. Log into Open OnDemand
2. Go to the dropdown menu at the top of the screen and select Clusters

3. Click >_Shell Access

   

4. This will put you on the command line on one of the login nodes where you may perform regular housekeeping work, submit jobs, or request an interactive session. By default, you will automatically be connected to Puma. To navigate to a different cluster, use the displayed shortcuts.

Users may also interact with a cluster using a virtual desktop interface. To do this:

1. Log into Open OnDemand and, under My Interactive Sessions, select Interactive Desktop under Desktops on the left-hand side of the page.

2. A form will appear where you will select the target cluster, enter the amount of time you'd like to be allotted (in hours), the number of cores you need, your PI Group (if you are unsure what your group name is, you can check in https://portal.hpc.arizona.edu/portal/), and the queue. Once you've filled in your request, click Launch.

   

3. A window will appear with the status of your request. It will start in a Pending state and will switch to Running when your desktop session is ready. Click Launch Interactive Desktop to access your session.

   

4. That's it! You can now use the cluster with a Desktop interface

   

Command Line Access

Tip

• Credentials: To log into HPC, you will need NetID+ enabled, an HPC account, and internet access. Because we require Duo-authentication to access the system, no VPN is required.
• Password Visibility: When entering your password in the terminal at the prompt, you will not see any characters appear on the screen while typing during this step. This is normal and everything is working as it should.

Linux/MacWindows

Tip

Mac systems provide a built-in SSH client, so there is no need to install any additional software. You will find the terminal application under Applications → Utilities → Terminal.

Open the terminal and enter:

ssh <netid>@hpc.arizona.edu

where <netid> is your UArizona NetID. When you press enter, you will be prompted for your university password. After successfully entering your password, you will be prompted to Duo Authenticate. If everything is successful, you will be connected to the bastion host.

Windows systems do not have any built-in support for using SSH, so you will have to download a software package to do so. There are several available for Windows workstations. Free SSH clients are available for download from the University of Arizona's Site License website.

PuTTYMobaXterm

PuTTY is the most popular open source SSH Windows client. To use it: download, install, and open the Putty client. Next, open a connection and enter hpc.arizona.edu under Host Name and press Open

This will open a terminal. At the prompt, enter the following, replacing <netid> with your own NetID:

Login as: <netid>

You will then be prompted to Duo-Authenticate. If the process is successful, you will be connected to the bastion host.

MobaXterm is another available SSH Windows client. To connect to HPC, download and install MobaXterm, open the software, select Session

From there, select SSH and enter hpc.arizona.edu under Remote host. Next, select the box next to Specify username and enter your UArizona NetID. To connect, click OK at the bottom of the screen:

This will open a terminal and will prompt you for your UArizona password. You will then need to Duo-authenticate. If everything is successful, you will be connected to the bastion host.

Once you reach the bastion host, regardless of method, you should see the following:

Success. Logging you in...
Last login:
This is a bastion host used to access the rest of the RT/HPC environment.

Type "shell" to access the job submission hosts for all environments

From there, type shell to connect to the login nodes that will provide access to our three clusters. On the login nodes, you should see:

***
The default cluster for job submission is Puma
***
Shortcut commands change the target cluster
-----------------------------------------
Puma:
$ puma
(puma) $
Ocelote:
$ ocelote
(ocelote) $
ElGato:
$ elgato
(elgato) $
-----------------------------------------

X11 Forwarding

X11 forwarding is a mechanism that allows a user to start up a remote application (e.g. VisIt or Matlab) and forward the application display to their local machine. The key to make forwarding work successfully is to include the -X flag at each login step. To check whether X11 forwarding is active, you may run the command:

echo $DISPLAY

If it comes back blank, X11 forwarding is not enabled.

Mac/LinuxWindows

Tips

• Mac users will want to install the additional software package XQuartz onto their machines to use X11 forwarding with HPC.

• On a Mac, if you get a blank response to echo $DISPLAY, you might need this line in your ~/.ssh/config file: ForwardX11Trusted yes

• Be aware forwarding X traffic does not work with the DEPRECATED menu interface enabled. You should disable the menu option and use the hostname shortcuts instead.

Start a terminal session and connect as you typically would with an additional flag -X in your ssh command. Once you're connected to the bastion host, enter the name of the cluster you want to access, including the additional -X flag again. An example of this process is provided below:

$ ssh -X netid@hpc.arizona.edu
Password:
Duo two-factor login for netid
Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-8969
2. Phone call to XXX-XXX-8969
3. Phone call to XXX-XXX-0502
4. SMS passcodes to XXX-XXX-8969

Passcode or option (1-4): 1
Success. Logging you in...
Last login:
This is a bastion host used to access the rest of the RT/HPC environment.

Type "shell" to access the job submission hosts for all environments
-----------------------------------------            
[netid@gatekeeper ~]$ echo $DISPLAY
localhost:13.0

[netid@gatekeeper ~]$ shell -X
***
The default cluster for job submission is Puma
***
Shortcut commands change the target cluster
-----------------------------------------
Ocelote:
$ ocelote
(ocelote) $
Puma:
$ puma
(puma) $

(puma)[netid@junonia ~]$ echo $DISPLAY
localhost:18.0

To use X11 forwarding on a Windows system, you will need to download an X11 display server such as Xming.

PuTTYMobaXterm

To enable X11 forwarding in PuTTY, go to SSH → X11 and select the box next to Enable X11 forwarding.

Once you've connected to the bastion host, connect to the login nodes with the an additional flag -X:

shell -X

To enable X11 forwarding in MobaXterm, open a new session, select SSH, and open Advanced SSH settings. Select the option below called X11-Forwarding.

Once you've connected to the bastion host, connect to the login nodes with the an additional flag -X:

shell -X

Once you're connected to the login nodes, you'll need to include an X11 forwarding flag when you start an interactive session. When using the interactive command, use the flag -x. When using salloc directly, use --x11.

Port Forwarding

Port forwarding is a technique used to redirect network traffic from one network address and port number to another. In the context of HPC systems, port forwarding allows users to access remote resources or services that are not directly accessible due to network configurations.

Common use cases for port forwarding include accessing remote desktops, running graphical applications, or accessing web-based interfaces of applications. Some examples of this might include using Jupyter Lab or a containerized RStudio instance.

The steps to set up port forwarding are the following:

1. Start a job

   This can either be done using an interactive session or an Open OnDemand job (e.g. an interactive desktop session). Once your job starts, make note of the node name. For example, in an interactive session, you can use the command hostname

   (elgato) [user@wentletrap ~]$ interactive -a hpcteam -t 5:00:00
   [user@cpu37 ~]$ hostname
   cpu37.elgato.hpc.arizona.edu
   

2. Connect to the HPC VPN

   The HPC VPN can be used with Cisco AnyConnect using vpn.hpc.arizona.edu. This is different from the standard university VPN and will allow you to connect directly to a compute node, bypassing the bastion and login nodes.

   Use the HPC VPN

   Note that it's always safer and more efficient to connect directly to your compute node rather than tunneling through the bastion and login nodes. If you tunnel through the bastion/login nodes, you may inadvertently use the same port as another user causing unwanted interference. Additionally, tunneling will result in reduced performance.

3. SSH to your compute node

   Once you're connected to the HPC VPN, ssh into your compute node with the additional arguments -L <port>:localhost:<port> where <port> is the port you want to use. For example:

   ssh -L 1234:localhost:1234 user@cpu37.elgato.hpc.arizona.edu
   

   4. Start your application and launch it in a web browser

   In your new terminal window, start your application, specifying the port number. For example:

   [user@cpu37 ~]$ jupyter lab --port 1234
   

   Your application should give you a URL that you can then use to access your session in a local web browser.

   

SSH Keys

Why Use SSH Keys?

The Bastion Host uses two-factor authentication and will, by default, prompt you for a password and 2nd factor when you attempt to log in. As an alternative, you can use PKI (Public Key Authentication). This means you will not have to provide a password or Duo-authenticate for any future sessions. In brief, you will need to create an SSH Key on your local workstation and copy the public key to the ~/.ssh/authorized_keys file in your HPC account on the bastion host. More detailed explanation & instructions below.

Setting Up SSH Keys On Linux/Mac

The proper use of SSH keys involves creating a public/private keypair, and configuring a couple of files on each system. Both Source (e.g. your laptop) and Destination (e.g. the HPC Bastion Host) systems need a directory in your home called .ssh. This is a hidden folder that will store the keypair and configuration files. Note that you will need to enter your password to access the system until this process is complete and all files are set up correctly.

Important Note on Account Security

Do not store a backup of these keys on any other system! If you lose the keys, you will still be access the HPC using your UA password. If a third party obtains your SSH key, they will gain access to your account.

1. Setting up on Source

The following files need to be present in ~/.ssh on Source

• private key: id_rsa -- Do not share this with anybody! It is analogous to your password; anybody who has this file will gain access to your account.
• public key: id_rsa.pub -- Upload this onto any servers that you wish to automatically login to. It is recommended to use different keys for different servers.
• configuration file: config

The keypair is generated on Source with the command ssh-keygen -t rsa. You will be prompted to enter a passphrase. This is optional but recommended.

You may need to enter a name other than the default id_rsa if you already have a keypair with that name on your system, or if you wish to use mutliple SSH keys to access different servers.

2. Setting up on Destination

In this case, we will be treating the Bastion Host as the Destination. This is necessary because it serves as the authentication host, meaning users are required to pass through it before accessing the rest of the HPC environment. Note that the Bastion Host has very limited storage space and a different file system than the main HPC. Do not put any files on the Bastion Host other than what is necessary to set up SSH Keys. Files that you place on the Bastion Host will not be present on the main HPC. You can read more about the system layout here.

A file containing a list of accepted public keys called authorized_keys needs to be present in ~/.ssh on Destination. You will then need to copy the contents of id_rsa.pub from Source into this file. This can be done with the command ssh-copy-id netid@hpc.arizona.edu. If your computer does not support the this command, or if this process does not yield desired results, you will need to copy it manually:

scp ~/.ssh/id_rsa.pub netid@hpc.arizona.edu:
ssh netid@hpc.arizona.edu
mkdir -p ~/.ssh && cat ~/id_rsa.pub >> .ssh/authorized_keys && rm ~/id_rsa.pub 

3. Configuring the SSH Agent

Sometimes the ssh agent does not associate the right key with the right server, and you may still have to enter your password. If this occurs, setting up a config file can correct the error.

On Source, run touch ~/.ssh/config. Then, copy the following code block into the new file, making sure to replace <netid> with your correct UA net id. You can change the contents of Host to any name you like. Do not change HostName. Make sure IdentityFile matches the key you generated in step one, in particular if you gave it a different name.

Host uahpcbastion
    HostName hpc.arizona.edu
    User <netid>
    IdentityFile ~/.ssh/id_rsa

This will associate the identity file with the HPC server, and will also allow you to replace netid@hpc.arizona.edu with uahpcbastion in the command line, e.g. ssh uahpcbastion

Now, logout and attempt to login to the server again. You should not be prompted for a password!

4. Direct Access to Login Nodes

You can set up a proxy jump in order to access the login nodes without having to type "shell" from the Bastion Host.

First, you will need to copy the contents of id_rsa.pub from Source into the ~/authorized_keys file on the main HPC filesystem in a similar manner to step 2.

Then, put an empty line after the last entry in ~/.ssh/config and add the following contents, again making sure to replace <netid> with you correct UA net id. You may change the Host entry as you prefer, and make sure the name after ProxyJump matches the name you gave to the Bastion Host in the previous entry.

Host uahpclogin
    HostName shell.hpc.arizona.edu
    User <netid>
    IdentityFile ~/.ssh/id_rsa
    ProxyJump uahpcbastion

Now you should be able to run ssh uahpclogin from Source to directly access the login node.

5. Accessing the File Transfer Node

SSH Keys can also be used to avoid entering a password and two-factor authentication when transferring files to or from the cluster via filexfer.hpc.arizona.edu.

Put an empty line after the last entry in ~/.ssh/config on Source and add the following contents, again making sure to replace <netid> with you correct UA net id.

Host uahpcfxfr
    HostName filexfer.hpc.arizona.edu
    User <netid>
    IdentityFile ~/.ssh/id_rsa

You should now be able to use scp, sftp, and the like from your local computer without entering your password.

You may also wish to access the file transfer node from the login node without entering your password, for example to copy data from /rental. In this case, you will need to perform steps 1-3 but treating Source as the login node and Destination as the file transfer node. It may be helpful to name this new key something to indicate its association with the file transfer node, for example fxfr and fxfr.pup.

Since both Source and Destination share access to your home folder, your public and private keys will both be in the ~/.ssh folder on the HPC, as will the authorized_keys and config files. Make sure to create these and put the contents of fxfr.pub into authorized_keys. If multiple keys are being added to authorized_keys, make sure they are on separate lines.

Then, add the following code block to ~/.ssh/config:

Host uahpcfxfr
    HostName filexfer.hpc.arizona.edu
    User <netid>
    IdentityFile ~/.ssh/fxfr

Now, you should be able to perform ssh, scp, sftp, and the like from the HPC login node to/from the HPC file transfer node without having to enter your password. For example:

ssh uahpcfxfr
scp -r /rental/netid/data /xdisk/netid/project

Setting Up SSH Keys On Windows

To set up SSH keys on Windows with the PuTTy client, refer to the official PuTTy documentation.

To set up SSH keys on Windows for file transfers using WinSCP, refer to the official WinSCP documentation.

If you are a Windows user and would like to set up SSH keys to access the file transfer node from a login node without entering your password, please read through the above section on setting up SSH Keys on Linux, since the HPC is a Linux system. Some information in steps 1-4 may be relevant, but you should not perform those actions on your local computer. Then, refer to step 5 for specific directions on setting this up. Do so from an active SSH session on an HPC login node.

Learn More

If you would like to learn more about SSH keys and more, please refer to this in-depth guide created by our friends at Digital Ocean.