Logging In and SSH Keys

Creating SSH Keys

Generate a pair of SSH keys with the ssh-keygen command; in this example we create an ed25519 key.

$ ssh-keygen -a 100 -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/USER/.ssh/id_ed25519):

You can change the name of the ssh key here, which is useful if you have several keys. Make note of the name if you use a different one other than the default. We will presume you went with the defaults here.

Note: If you choose a different name you will need to specify the key to use in the ssh config file or in the ssh command itself.

Enter passphrase (empty for no passphrase):

A strong passphrase is required

Enter same passphrase again:

Repeat the strong passphrase.

Your identification has been saved in /Users/USER/.ssh/id_ed25519.

(id_ed25519 is your private key. Keep it secure, do not share it, and be cognizant of where you store it.)

Your public key has been saved in /Users/USER/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:lSglfiIzcdJumCtz1RI03sulFJ3pA3hZcFMbPPEY14Y USER@foo

This is your public key.

Adding Your Public Key to Your Account

After you generate your SSH key pair, add ONLY the public key to your account at https://accounts.lcrc.anl.gov.

• Copy the contents of the .pub file generated above (in the example above, ~/.ssh/id_ed25519.pub)
• Choose “Add Key” at the bottom of the Account Information page after login.
• Paste what you copied into the “Key” section that appears. The “Description” is purely informational and allows you to give it a meaningful or memorable name/description for future reference.

You will then be able to SSH directly to our login nodes.

Logging In

LCRC supports multiple clusters, and you can adapt the following instructions to your specific cluster needs. Each cluster utilizes the same SSH keypair and file systems.

Basic Configuration

When using OpenSSH for logging in, it must know at least the hostname you wish to connect to. If your local username differs from your LCRC cluster username, you'll need to specify the correct one. Also, if your SSH key isn't the default ~/.ssh/ed_25519, specify its path.

ssh -i /path/to/your/ssh_private_key <username>@improv.lcrc.anl.gov

Simplifying Future Logins

OpenSSH allows you to store configurations in ~/.ssh/config, making logins simpler.

In ~/.ssh/config, you can set parameters for various hosts. For example, to simplify logging in to Improv, you can add the following to your ~/.ssh/config file:

Host improv
    HostName improv.lcrc.anl.gov
    User <username>
    IdentityFile /path/to/your/ssh_private_key

After configuring OpenSSH, log in using:

ssh improv

You can apply this method to other clusters as well.

Using GUI Applications Over SSH

For GUI applications over SSH, enable X11 forwarding:

Command line:

ssh -X -i /path/to/your/ssh_private_key <username>@improv.lcrc.anl.gov

Or in your config file:

Host improv
   HostName improv.lcrc.anl.gov
   User username
   IdentityFile /path/to/your/ssh_private_key
   ForwardX11 yes

Then connect as usual:

ssh improv

Debugging a Failed Connection

If you encounter login issues, check your internet connection, ensure the correct public key is uploaded, verify your username, hostname, and SSH private key are correct, and check for any misconfigurations in ~/.ssh/config.

Common Issues:

• Client Configuration: Verify the correct permissions for your SSH files.
• Server Configuration: Ensure your home and .ssh directories have the correct permissions.
• Maintenance and Login Nodes: Be aware of maintenance periods and check if you're connecting to responsive nodes

Advanced Troubleshooting

If you're still facing issues, provide the output from the following commands to support:

ssh -vvv -i /path/to/your/ssh_private_key <username>@improv.lcrc.anl.gov
ls -la ~/.ssh
cat ~/.ssh/config

Downed Login Nodes

Occasionally LCRC login nodes may become unresponsive due to a number of various failures unexpectedly. Because of the round-robin nature of the connection, you may land on one of these bad nodes when you try to SSH to LCRC. We'll try to make sure each node is up at all times, but you may attempt to connect to the clusters during this unexpected down time. To test whether or not the problem is on your end or on the LCRC side and if you've already exhausted the other troubleshooting steps, try to connect to a specific login node.

To do this, you can substitute your basic SSH command of ssh -i /path/to/your/ssh_private_key <username>@improv.lcrc.anl.gov, for example, with these instead.

For Improv:

ssh -i /path/to/your/ssh_private_key <username>@ilogin1.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@ilogin2.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@ilogin3.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@ilogin4.lcrc.anl.gov

For Bebop:

ssh -i /path/to/your/ssh_private_key <username>@beboplogin1.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@beboplogin2.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@beboplogin3.lcrc.anl.gov
ssh -i /path/to/your/ssh_private_key <username>@beboplogin4.lcrc.anl.gov

If you try a couple of these nodes and still can't connect, you can continue troubleshooting. Of course in extremely rare cases most of our login nodes can be down so you can always contact us if you've exhausted all of your connection options.