This document provides instructions on how to log into the Berkeley Research Computing (BRC) high performance computing (HPC) clusters - Savio, Vector, and Cortex - at the University of California, Berkeley.
Unlike most remote computer systems that you may have encountered to date, when logging into the BRC clusters (via SSH), you'll need to enter a password that changes each time you log in. You'll generate (create) these passwords - known as One Time Passwords (OTP) - using the Google Authenticator application on your smartphone or tablet.
Requiring time-expiring, one-time-use passwords helps protect your work and data from unauthorized access - and potential damage or alteration - by intruders. Moreover, it helps protect the cluster itself from attacks, so that it can remain highly available to the campus community.
Setting up your mobile device to generate these one-time passwords, so you can log into the BRC clusters, is fairly straightforward. It typically takes between 10 and 30 minutes, and you only need to do it once. Here's an overview of that process:
- Use an invitation link you've received in email to visit a Token Management website. (If necessary, you can re-send that invitation link to yourself via a brief web form.)
- On that website, login with one of your personal accounts. You can use your UC Berkeley CalNet ID, or even your Facebook, Google, or LinkedIn account. That will link your account to a BRC cluster account.
- Install the Google Authenticator app on your smartphone or tablet.
- On the Token Management website, follow the instructions to create a new token. This will display a QR code onscreen.
- Using your smartphone or tablet camera, scan the QR code into Google Authenticator.
- Verify that Google Authenticator is now generating one-time passwords.
Below are details on how you'll do this:
Installing and setting up Google Authenticator on a mobile device
Before you can log into the HPC clusters for the first time, you will need to install and set up Google Authenticator on at least one mobile device: a smartphone or tablet running Android or iOS. (If you don't have one of those devices, please complete Step 1 and then see Step 2, below.)
Here's the eight-step process for installing and setting up Google Authenticator:
1. Link one of your personal accounts (University of California, Berkeley [i.e, your CalNet ID], Facebook, Google, or LinkedIn) with your BRC HPC Cluster account. This is typically a one-time process:
- Please check your email for a linking invitation. You'll usually receive one of these soon after your account has been set up.
- If you can't find it, please complete and submit this form, anytime. You can expect to receive the linking invitation email from BRC support within 5 to 10 minutes thereafter.
- Follow the instructions in that email to complete the linking process. (If you cannot locate the email, please check your Spam or Junk folder or else contact BRC support. The email will contain words like "Invitation to link your personal account with BRC HPC Cluster account".)
2. After having linked your personal account with your BRC HPC Cluster account, then install the Google Authenticator app on your smartphone or tablet running Android or iOS.
(If you do not have a device capable of running the Google Authenticator app, we recommend using the Authy app.)
In the Google Play store or iOS App Store on your smartphone or tablet, search for and install "Google Authenticator".
(Or else, for convenience, click the relevant button below:)
3. In your browser, on a second device, such as a laptop or desktop, visit the Non-LBL Token Management web page.
4. Click the button for your personal account ("external identity") that you have linked in Step 1, then follow the onscreen instructions to log in with your credentials for that account.
(If, when doing so, you encounter the error message, "Login Error: There was an error logging you in. The account that you logged in with has not been mapped to a system account", please complete Step 1, above, and then return back here and re-try this step.)
5. From the “Token Management” page which appears, create a token by clicking on “Add an HPC Cluster/Linux Workstation token” and following the onscreen instructions. IMPORTANT: Remember the PIN that you are setting on the token.
After you’ve successfully created your new token, a QR code for that token will then be displayed.
6. Back on your smartphone or tablet, from the menu of the Google Authenticator app, select “Add an account” and then “Scan a barcode”.
7. Scan that QR code. (This will store the token in Google Authenticator.)
(Note: If your device does not already have a QR code reader app installed, the Google Authenticator app may first lead you through the process of installing one. Some newer versions of the Google Authenticator app now have a built-in ability to scan QR codes.)
8. Verify that the Google Authenticator app is now generating one-time passwords. (Note: the one-time password will be displayed under the name “Lawrence Berkeley National Laboratory” in that app.)
Logging into BRC Clusters
1. Make sure that the Google Authenticator app is running on your smartphone or tablet. (You’ll need to enter a one-time password displayed by this app at step 3, below.)
2. On your laptop, desktop, or other device running a terminal/SSH program, connect to the cluster via SSH; e.g.:
(Be sure to substitute your actual username for the placeholder
yourusername in the example above.)
3. At the
Password: prompt, enter the token PIN, followed immediately, without spaces, by the 6-digit one-time password currently displayed by the Google Authenticator app on your smartphone or tablet; e.g.:
For instance, if your PIN was
9999 (hint: don’t use this example as your own PIN!), and the one time-password currently displayed by Google Authenticator was
123456, you’d enter the following at the
If you've already set up your token but are unable to log in successfully - here's what to try:
1. Make sure you're including the PIN as part of your password
Password: prompt, make sure that you're entering your token PIN, followed immediately by the 6-digit one-time password from Google Authenticator. (There should be no spaces or punctuation between the token PIN and the one-time password.)
2. Wait to enter the one-time password until a new one has just been displayed
If the 'countdown clock' indicator in the Google Authenticator app is nearing its end, signifying that the existing password is about to expire, try waiting until a new one-time password has been displayed. Then enter that new password, immediately after your PIN, at the
3. Check that, in your SSH command or in the configuration for your SSH application, you're using your correct login name (i.e., your Linux user name) on the cluster
In particular, make sure that you're not inadvertently using the name of one of your SLURM scheduler accounts (which typically begin with
fc_ for Faculty Computing Allowance users or
co_ for Condo partners), in place of your login name.
4. Check that, in your SSH command or in the configuration for your SSH application, you're using the correct hostname for the cluster's front-end/login nodes,
hpc.brc.berkeley.edu, or for its Data Transfer Node,
5. Test - and if needed, reset - your token or its PIN
- Visit the Non-LBL Token Management web page.
- Log in to this Token Management page, by clicking the button for the relevant external account (University of California, Berkeley [i.e., your CalNet ID], Facebook, Google, or LinkedIn) that you used when you set up your token, and then following the onscreen directions.
- A list of one or more tokens should then be displayed. From this list, find your relevant token: the one that you entered into Google Authenticator on the smartphone or tablet you're currently using. (If you want to check this further, the "TOTP number" that appears in the box for your token, on the Token Management web page, should match the TOTP number in Google Authenticator's window on your device. On some small devices, you might need to press/click and hold on the token's entry to see the TOTP number, and perhaps even pivot the device to landscape mode to read the full number.)
- If there's only a "Reset" option in your relevant token's box, click that link. Then proceed to the next step, below.
- If there's a "Test" option in the token's box, click that link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
- If your test(s) fail, click "Done". Then click the "Reset PIN" link and reset your PIN. (You can even 'reset' it to your current PIN.)
- Try the "Test" option once again. In the token's box, click the "Test" link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
- Once you get a successful test of your PIN plus one-time password on this web page, you can try logging into the cluster once again and see if you're successful there, as well.
6. Finally, if all else fails, try creating a brand new token and add the new token to Google Authenticator, as described in the instructions above. (Before or after doing this, you can delete your existing token - both on the LBL Token Management web page and in the Google Authenticator app on your device - to avoid any confusion with the new token.)