Logging into Savio

Installing & setting up Google Authenticator | Logging into Savio | Troubleshooting

This document provides instructions on how to log into the Savio high performance computing (HPC) cluster at the University of California, Berkeley.

Unlike most remote computer systems that you may have encountered to date, when logging into the Savio cluster (via SSH), you'll need to enter a password that changes each time you log in. You'll generate this password using a One Time Password (OTP) application named Google Authenticator.

Requiring time-expiring, one-time-use passwords helps protect your work and data from unauthorized access - and potential damage or alteration - by intruders. Moreover, it helps protect the cluster itself from attacks, so that it can remain highly available to the campus community.


IMPORTANT NOTE : Migration from Pledge to Google Authenticator

From July 1, 2016-on, the BRC One Time Password service no longer uses the Pledge application; instead, BRC One Time Passwords are generated using Google Authenticator.


Installing and setting up Google Authenticator on a mobile device

Before you can log into the Savio cluster for the first time, you will need to install and set up Google Authenticator on at least one mobile device: a smartphone or tablet running Android or iOS.

(If you do not have a device capable of running the Google Authenticator app, we recommend using the Authy app.)

1. In the Google Play store or iOS App Store on your smartphone or tablet, search for and install "Google Authenticator".

(Or else, for convenience, click the relevant button below:)

App card for the Google Authenticator application

Google Play store buttoniOS App Store button

2. In your browser, on a second device, such as a laptop or desktop, visit the Non-LBL Token Management web page.

REQUIREMENT: Before accessing this web page, you will need to have already linked one of your personal accounts (University of California, Berkeley [i.e, your CalNet ID], Facebook, or Google) with your BRC HPC Cluster account:

  • If you have already linked your accounts, please skip to Step 3, below.
  • If you have not already linked your accounts, please complete and submit this form. You can expect to receive a linking invitation email from BRC support within 5 to 10 minutes after submitting it. Please follow the instructions in that email to complete the linking process. (If you cannot locate the email, please check your Spam or Junk folder or else contact BRC support.)

3. Click the button for your personal account ("external identity") that you have linked, then follow the onscreen instructions to log in with your credentials for that account.

Token Management website screenshot

4. From the “Token Management” page which appears, create a token by clicking on “Add an HPC Cluster/Linux Workstation token” and following the onscreen instructions. IMPORTANT: Remember the PIN that you are setting on the token.

After you’ve successfully created your new token, a QR code for that token will then be displayed.

5. Back on your smartphone or tablet, from the menu of the Google Authenticator app, select “Add an account” and then “Scan a barcode”.

6. Scan that QR code. (This will store the token in Google Authenticator.)

(Note: If your device does not already have a QR code reader app installed, the Google Authenticator app may first lead you through the process of installing one. Some newer versions of the Google Authenticator app now have a built-in ability to scan QR codes.)

7. Verify that the Google Authenticator app is now generating one-time passwords. (Note: the one-time password will be displayed under the name “Lawrence Berkeley National Laboratory” in that app.)

Logging into Savio

1. Make sure that the Google Authenticator app is running on your smartphone or tablet. (You’ll need to enter a one-time password displayed by this app at step 3, below.)

2. On your laptop, desktop, or other device running a terminal/SSH program, connect to the Savio cluster via SSH; e.g.:

ssh yourusername@hpc.brc.berkeley.edu

(Be sure to substitute your actual Savio cluster username for the placeholder yourusername in the example above.)

3. At the Password: prompt, enter the token PIN, followed immediately, without spaces, by the 6-digit one-time password currently displayed by the Google Authenticator app on your smartphone or tablet; e.g.:

Password: PIN_hereOTP_here

For instance, if your PIN was 9999 (hint: don’t use this example as your own PIN!), and the one time-password currently displayed by Google Authenticator was 123456, you’d enter the following at the Password: prompt:

Password: 9999123456

Troubleshooting

If you've already set up your token but are unable to log into Savio successfully - here's what to try:

1. Make sure you're including the PIN as part of your password

At the Password: prompt, make sure that you're entering your token PIN, followed immediately by the 6-digit one-time password from Google Authenticator. (There should be no spaces or punctuation between the token PIN and the one-time password.)

2. Wait to enter the one-time password until a new one has just been displayed

If the 'countdown clock' indicator in the Google Authenticator app is nearing its end, signifying that the existing password is about to expire, try waiting until a new one-time password has been displayed. Then enter that new password, immediately after your PIN, at the Password: prompt.

3. Check that, in your SSH command or in the configuration for your SSH application, you're using your correct login name (i.e., your Linux user name) on the cluster

In particular, make sure that you're not inadvertently using the name of one of your SLURM scheduler accounts (which typically begin with fc_ for Faculty Computing Allowance users or co_ for Condo partners), in place of your login name.

4. Check that, in your SSH command or in the configuration for your SSH application, you're using the correct hostname for the cluster's front-end/login nodes, hpc.brc.berkeley.edu, or for its Data Transfer Node, dtn.brc.berkeley.edu.

5. Test - and if needed, reset - your token or its PIN

  • Visit the Non-LBL Token Management web page.
  • Log in to this Token Management page.
  • Start by clicking the button for the relevant external account (University of California, Berkeley [i.e., your CalNet ID], Facebook, or Google) that you used when you set up your token, and then follow the onscreen directions.
  • A list of one or more tokens should then be displayed. From this list, find your relevant token: the one that you entered into Google Authenticator on the smartphone or tablet you're currently using. (If you want to check this further, the "TOTP number" that appears in the box for your token, on the Token Management web page, should match the TOTP number in Google Authenticator's window on your device. On some small devices, you might need to press/click and hold on the token's entry to see the TOTP number, and perhaps even pivot the device to landscape mode to read the full number.)
    • If there's only a "Reset" option in your relevant token's box, click that link. Then proceed to the next step, below.
    • If there's a "Test" option in the token's box, click that link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
    • If your test(s) fail, click "Done". Then click the "Reset PIN" link and reset your PIN. (You can even 'reset' it to your current PIN.)
    • Try the "Test" option once again. In the token's box, click the "Test" link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
    • Once you get a successful test of your PIN plus one-time password on this web page, you can try logging into Savio once again and see if you're successful there, as well.

6. Finally, if all else fails, try creating a brand new token and add the new token to Google Authenticator, as described in the instructions above. (Before or after doing this, you can delete your existing token - both on the LBL Token Management web page and in the Google Authenticator app on your device - to avoid any confusion with the new token.)