All users should have received their login credentials in an email. If you have not, please email the Virtual Research Support Core at scinet_vrsc@USDA.GOV.
If you have not recieved a LincPass or YubiKey, please see the Deprecated Login Procedures page for instructions to access the HPC.
Before accessing various SCINet resources, new users need to ssh either to Ceres or Atlas cluster and change the temporary password. Note that home directories on Atlas are not created right away, so it is recommended to wait a day after receiving email with the credentials before logging to Atlas cluster.
A video demonstration for changing your password can be found here. Please keep in mind that due to the recent password requirement change, the video is out of date. It will list more password requirements than necessary. The current requirements are found below:
- AT LEAST 14 characters long
- Your last 24 passwords cannot be reused.
Creating a Config File
It is recommended to create a config file on your computer. You may do so using Notepad. The file you create must be titled “config” with no extension for this method to work properly (i.e. “config” not “config.txt”). This will send a “keepalive” signal every 20 seconds and keep retrying for up to 30 failures. Note: Do not copy the code into the terminal itself, it must be in a separate file.
Create a ~/.ssh/config file replacing USER.NAME with your actual username, all in lowercase. The path to the .ssh file is as follows: C>Users>(Your Account)>.ssh
Note: If you are using a Mac, the .ssh file may be hidden to you. To reveal the hidden files, you will press and hold CMD+SHIFT+. (Period Key) when choosing a location to save your file. The .ssh file will now be visible for you to save the config file.
Host ceres-login HostName ceres.scinet.usda.gov User USER.NAME TCPKeepAlive yes ServerAliveInterval 20 ServerAliveCountMax 30 Host atlas-login HostName atlas-login.hpc.msstate.edu User USER.NAME TCPKeepAlive yes ServerAliveInterval 20 ServerAliveCountMax 30
If you don’t want to use the config file method above, add the following title to the ssh command replacing USER.NAME with your actual username, all in lowercase.
ssh -o TCPKeepAlive=yes -o ServerAliveInterval=20 -o ServerAliveCountMax=30 USER.NAME@ceres.scinet.usda.gov
ssh -o TCPKeepAlive=yes -o ServerAliveInterval=20 -o ServerAliveCountMax=30 USER.NAME@atlas-login.hpc.msstate.edu
Step-Based Access Via SSH
If you previously manually created a ssh host key, you may need to delete it as the hosts will now have a new signed key.
Delete your .ssh/known_hosts file OR run:
ssh-keygen -R ceres.scinet.usda.gov
This process will remain the same for all GUI services.
- OpenSSH needs to be installed. This is standard on recent Windows 10 and 11, MacOS, and Linux installs. However your local admin may have removed it or restricted access to it. Check by running “ssh” in a PowerShell or terminal window. You should get Usage instrctions.
- ssh-agent needs to to running as a system service.
- For Linux and MacOS this is probably already running.
- For Windows this has to be enabled by an administator, it is not on by default even if openssh is installed. To enable it an administor must:
# By default the ssh-agent service is disabled. Configure it to start automatically. # Make sure you're running as an Administrator. Get-Service ssh-agent | Set-Service -StartupType Automatic # Start the service Start-Service ssh-agent # This should return a status of Running Get-Service ssh-agent
Step needs to be installed on your machine.
- If you are on a USDA controlled Windows laptop or workstation, again this will need to be performed by CEC. They should be aware of the process.
- If you do need to perform the installation yourself, see: https://smallstep.com/docs/step-cli/installation/.
- For windows we recommend the winget installer, we’ve had the best lusk with that. Again, please be aware that you will only be able to complete the installation yourself if you have admin rights (i.e. you will have admin rights on your home machine rather than an USDA controlled machine.)
- For MacOS the instrcutions are more straightforward and can be done by the user without admin access.
- Linux will require root/sudo if you want to use the system packager rpm,deb,pacman. But can be done in userspace it you just download the binary directly.
After Step Installation:
- Open a Terminal, CMD shell, or PowerShell window and run the following:
step ca bootstrap --ca-url https://step-ca.scinet.usda.gov --fingerprint adb703fd18f176937743b20228d52af7a705d63a0471cd67428660be5fd006bf
step ssh config --set Provisioner=keycloak --set User=scinetuser.name
- If the step config command fails ssh-agent probably isnt running. See instructions above.
These commands will do the following:
- Gets the initial cert from the certificate authority.
- Sets up your ssh profile to simplify future logins
These commands only need to be done once. The second command updates your .ssh/config file. If you already have a complicated structure in there you may wish to review it. The changes are fine for most, but particularly if you already have ceres entries in yours there could be conflicts.
- Please note, if you are using a YubiKey, please see the Yubikey login instructions
Each morning on your first attempt to ssh to Ceres with
ssh email@example.com, (changing user.name to your own SCINet username) you will see something like this:
- Your default web browser should open automatically to the SCINet authentication page. Choose USDA LincPass as your sign-in option.
- You will then go through a typical eAuth based login. You will select your applicable option (either USDA or Non-USDA), select login with your PIV/CAC and enter your pin. See the images below for an example.
- Now go through your usual eAuth based login.
- Please Note: There could be complications here if its your first time using eAuth.
- Go back to your shell and you should see something like “CA: https://step-ca.scinet.usda.gov” followed by your regular login.
After these steps, command line ssh works normally. The only different is that it will not prompt you for a password for the day (16 hours). Note: With the below examples, you will swap user.name for your own SCINet username.
ssh firstname.lastname@example.org scp file1 file2 email@example.com:~
Notes and Limitations
- If you use multiple profiles in Chrome, step will open a new window in whichever profile was used last. If you end up in the wrong one just close it, do something in your work profile and rerun the ssh login command.
- Windows users will find most tools other than the built-in windows ssh command line tools no longer work.
- Mac and Linux users may have a bit more luck, but anything beyond command line tools probably won’t work anymore.
- For graphical file transfers globus is still the preferred method and will continue to work.
- After logging in via OIDC you will not have any automatic Kerberos tickets. You will need to kinit if you need them.
If you have any questions or issues, please contact the VRSC at firstname.lastname@example.org.
Accessing GUI Based Services
This process will be the same for all GUI based SCINet Services. Please follow the instructions below. If you have further questions or issues, please email email@example.com.
Accessing Using LincPass
If you are a LincPass holder, you will only select the option of “USDA LincPass” when logging into GUI services such as Open OnDemand, Galaxy, and the SCINet Forum.
After selcting this, you will be automatically directed to login using your usual eAuth based login.
Accessing Using YubiKey
When logging in, you will enter your SCINet credentials (username and password) and click “Sign In”.
You will be directed to a new screen showing your available security keys. You will select “Sign in with Security Key”. The system will then prompt you for a PIN. This is the PIN provided to you with your YubiKiey. If you were not given one, please contact the VRSC by emailing firstname.lastname@example.org.
A pop up will appear asking you if you would like to use your passkey. You will select “Use a different device” in the bottom left corner.
The next pop-up will have three options. You will select “USB security key”.
The final pop up will instruct you to insert your security key and touch it. You will now insert your USB YubiKey (if you haven’t already) and then touch it. This will then automatically log you into the service you were attempting to access.
This step will remain the same for all GUI-based services such as Ceres OpenOnDemand, Galaxy, the SCINet Forum, and others.
If you need assistance with this login process, please email your questions to email@example.com.