Logging into BRC Clusters

Overview | Installing & setting up Google Authenticator | Logging into BRC Clusters | Troubleshooting

This document provides instructions on how to log into the Berkeley Research Computing (BRC) high performance computing (HPC) clusters - Savio, Vector, and Cortex - at the University of California, Berkeley.

Unlike most remote computer systems that you may have encountered to date, when logging into the BRC clusters (via SSH), you'll need to enter a password that changes each time you log in. You'll generate (create) these passwords - known as One Time Passwords (OTP) - using the Google Authenticator application on your smartphone or tablet.

Requiring time-expiring, one-time-use passwords helps protect your work and data from unauthorized access - and potential damage or alteration - by intruders. Moreover, it helps protect the cluster itself from attacks, so that it can remain highly available to the campus community.

Overview

Setting up your mobile device to generate these one-time passwords, so you can log into the BRC clusters, is fairly straightforward. It typically takes between 10 and 30 minutes, and you only need to do it once. Here's an overview of that process:

  • Submit a form to receive a linking invitation email.
  • Following the instructions in that email, login to the Token Management website with one of your personal accounts. You can use your UC Berkeley CalNet ID, or even your Facebook, Google, or LinkedIn account. That will link your personal account to your BRC HPC Cluster account.
  • Install the Google Authenticator app on your smartphone or tablet.
  • On the Token Management website, follow the instructions to create a new token. This will display a QR code onscreen.
  • Using your smartphone or tablet camera, scan the QR code into Google Authenticator.
  • Verify that Google Authenticator is now generating one-time passwords.

Below are details on how you'll do this:

Installing and setting up Google Authenticator on a mobile device

Before you can log into the HPC clusters for the first time, you will need to install and set up Google Authenticator on at least one mobile device: a smartphone or tablet running Android or iOS. (If you don't have one of those devices, please complete Step 1 and then see Step 2, below.)

Here's the nine-step process for installing and setting up Google Authenticator:

1. In most instances, if you're visiting this page, you already have a BRC HPC Cluster account (i.e. an account on the Savio, Vector, and/or Cortex cluster). However, if you don't already have such an account, please request one. (If you're not sure, please contact BRC support.)

2. Link one of your personal accounts (University of California, Berkeley [i.e, your CalNet ID], Facebook, Google, or LinkedIn) with your BRC HPC Cluster account. This is typically a one-time process:

  • To link these accounts, please complete and submit this form, anytime. You can expect to receive the linking invitation email from BRC support within 5 to 10 minutes thereafter. (The linking invitation email's subject line is, or will be similar to, "Invitation to link your personal account with BRC HPC Cluster account".)
  • Follow the instructions in that email to complete the linking process.
  • If you cannot locate the email, please check your Spam or Junk folder. And if you still can't locate it, please contact BRC support.)

3. After having linked your personal account with your BRC HPC Cluster account, then install the Google Authenticator app on your smartphone or tablet running Android or iOS.

(If you do not have a device capable of running the Google Authenticator app, we recommend using the Authy app.)

In the Google Play store or iOS App Store on your smartphone or tablet, search for and install "Google Authenticator".

(Or else, for convenience, click the relevant button below:)

App card for the Google Authenticator application

Google Play store buttoniOS App Store button

4. In your browser, on a second device, such as a laptop or desktop, visit the Non-LBL Token Management web page.

5. Click the button for your personal account ("external identity") that you have linked in Step 1, then follow the onscreen instructions to log in with your credentials for that account.

Non-LBL Token Management page

(If, when doing so, you encounter the error message, "Login Error: There was an error logging you in. The account that you logged in with has not been mapped to a system account", please complete Step 1, above, and then return back here and re-try this step.)

6. From the “Token Management” page which appears, create a token by clicking on “Add an HPC Cluster/Linux Workstation token” and following the onscreen instructions. IMPORTANT: Remember the PIN that you are setting on the token.

After you’ve successfully created your new token, a QR code for that token will then be displayed.

7. Back on your smartphone or tablet, from the menu of the Google Authenticator app, select “Add an account” and then “Scan a barcode”.

8. Scan that QR code. (This will store the token in Google Authenticator.)

(Note: If your device does not already have a QR code reader app installed, the Google Authenticator app may first lead you through the process of installing one. Some newer versions of the Google Authenticator app now have a built-in ability to scan QR codes.)

9. Verify that the Google Authenticator app is now generating one-time passwords. (Note: the one-time password will be displayed under the name “Lawrence Berkeley National Laboratory” in that app.)

Logging into BRC Clusters

1. Make sure that the Google Authenticator app is running on your smartphone or tablet. (You’ll need to enter a one-time password displayed by this app at step 3, below.)

2. On your laptop, desktop, or other device running a terminal/SSH program, connect to the cluster via SSH; e.g.:

ssh yourusername@hpc.brc.berkeley.edu

(Be sure to substitute your actual username for the placeholder yourusername in the example above.)

3. At the Password: prompt, enter the token PIN, followed immediately, without spaces, by the 6-digit one-time password currently displayed by the Google Authenticator app on your smartphone or tablet; e.g.:

Password: PIN_hereOTP_here

For instance, if your PIN was 9999 (hint: don’t use this example as your own PIN!), and the one time-password currently displayed by Google Authenticator was 123456, you’d enter the following at the Password: prompt:

Password: 9999123456

Please note that no characters will appear on the screen in the password prompt when you enter in the digits.

Troubleshooting

If you've already set up your token but are unable to log in successfully - here's what to try:

1. Make sure you're including the PIN as part of your password

At the Password: prompt, make sure that you're entering your token PIN, followed immediately by the 6-digit one-time password from Google Authenticator. (There should be no spaces or punctuation between the token PIN and the one-time password.)

2. Wait to enter the one-time password until a new one has just been displayed

If the 'countdown clock' indicator in the Google Authenticator app is nearing its end, signifying that the existing password is about to expire, try waiting until a new one-time password has been displayed. Then enter that new password, immediately after your PIN, at the Password: prompt.

3. Check that, in your SSH command or in the configuration for your SSH application, you're using your correct login name (i.e., your Linux user name) on the cluster

In particular, make sure that you're not inadvertently using the name of one of your SLURM scheduler accounts (which typically begin with fc_ for Faculty Computing Allowance users or co_ for Condo partners), in place of your login name.

4. Check that, in your SSH command or in the configuration for your SSH application, you're using the correct hostname for the cluster's front-end/login nodes, hpc.brc.berkeley.edu, or for its Data Transfer Node, dtn.brc.berkeley.edu.

5. Test - and if needed, reset - your token or its PIN

  • Visit the Non-LBL Token Management web page.
  • Log in to this Token Management page, by clicking the button for the relevant external account (University of California, Berkeley [i.e., your CalNet ID], Facebook, Google, or LinkedIn) that you used when you set up your token, and then following the onscreen directions.
  • A list of one or more tokens should then be displayed. From this list, find your relevant token: the one that you entered into Google Authenticator on the smartphone or tablet you're currently using. (If you want to check this further, the "TOTP number" that appears in the box for your token, on the Token Management web page, should match the TOTP number in Google Authenticator's window on your device. On some small devices, you might need to press/click and hold on the token's entry to see the TOTP number, and perhaps even pivot the device to landscape mode to read the full number.)
    • If there's only a "Reset" option in your relevant token's box, click that link. Then proceed to the next step, below.
    • If there's a "Test" option in the token's box, click that link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
    • If your test(s) fail, click "Done". Then click the "Reset PIN" link and reset your PIN. (You can even 'reset' it to your current PIN.)
    • Try the "Test" option once again. In the token's box, click the "Test" link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
    • Once you get a successful test of your PIN plus one-time password on this web page, you can try logging into the cluster once again and see if you're successful there, as well.

6. Finally, if all else fails, try creating a brand new token and add the new token to Google Authenticator, as described in the instructions above. (Before or after doing this, you can delete your existing token - both on the LBL Token Management web page and in the Google Authenticator app on your device - to avoid any confusion with the new token.)