Skip to main content

Logging in to SCINet

No account? Signup here.

All users should have received their login credentials in an email. If you have not, please email the Virtual Research Support Core at scinet_vrsc@USDA.GOV.

If you have not recieved a LincPass or YubiKey, please see the Deprecated Login Procedures page for instructions to access the HPC.

Before accessing various SCINet resources, new users need to ssh either to Ceres and change the temporary password. Note that home directories on Atlas are not created right away, so it is recommended to wait a day after receiving email with the credentials before logging to Atlas cluster.

A video demonstration for changing your password can be found here. Please keep in mind that due to the recent password requirement change, the video is out of date. It will list more password requirements than necessary. The current requirements are found below:

  1. AT LEAST 14 characters long
  2. Your last 24 passwords cannot be reused.

LincPass Users Please contact your IT Specialist if you need help with installing Step on your USDA controlled machine.

Creating a Config File

It is recommended to create a config file on your computer. You may do so using Notepad. The file you create must be titled “config” with no extension for this method to work properly (i.e. “config” not “config.txt”). This will send a “keepalive” signal every 20 seconds and keep retrying for up to 30 failures. Note: Do not copy the code into the terminal itself, it must be in a separate file.

Create a ~/.ssh/config file replacing USER.NAME with your actual username, all in lowercase. The path to the .ssh file is as follows: C>Users>(Your Account)>.ssh

Note: If you are using a Mac, the .ssh file may be hidden to you. To reveal the hidden files, you will press and hold CMD+SHIFT+. (Period Key) when choosing a location to save your file. The .ssh file will now be visible for you to save the config file.

Host ceres-login
TCPKeepAlive yes
ServerAliveInterval 20
ServerAliveCountMax 30

Host atlas-login
TCPKeepAlive yes
ServerAliveInterval 20
ServerAliveCountMax 30

If you don’t want to use the config file method above, add the following title to the ssh command replacing USER.NAME with your actual username, all in lowercase.

ssh -o TCPKeepAlive=yes -o ServerAliveInterval=20 -o ServerAliveCountMax=30


ssh -o TCPKeepAlive=yes -o ServerAliveInterval=20 -o ServerAliveCountMax=30

Step-Based Access Via SSH

Please Note: If you previously manually created a ssh host key, you may need to delete it as the hosts will now have a new signed key. Delete your .ssh/known_hosts file OR run: ssh-keygen -R This process will remain the same for all GUI services.

Installation Instructions:

  • OpenSSH needs to be installed. This is standard on recent Windows 10 and 11, MacOS, and Linux installs. However your local admin may have removed it or restricted access to it. Check by running “ssh” in a PowerShell or terminal window. You should get Usage instrctions.
  • ssh-agent needs to to running as a system service.
    • For Linux and MacOS this is probably already running so this step can be skipped.
    • For Windows this has to be enabled by an administator, it is not on by default even if openssh is installed. To enable it an administor must:
# Make sure you're running as an Administrator.
Get-Service ssh-agent | Set-Service -StartupType Automatic

# Start the service
Start-Service ssh-agent

# This should return a status of Running
Get-Service ssh-agent

Step needs to be installed on your machine.

  • If you are on a USDA controlled Windows laptop or workstation, you can install SmallStepsCLI directly from the Software Center.
    • If Software Center fails to install SmallStepCLI, please contact your IT Specialist prior to continuing.
  • After installing, you may need to restart your terminal for step to be in your path.
  • If you do need to perform the installation yourself, see:
    • For windows we recommend the winget installer, we’ve had the best lusk with that. Again, please be aware that you will only be able to complete the installation yourself if you have admin rights (i.e. you will have admin rights on your home machine rather than an USDA controlled machine.)
    • For MacOS the instrcutions are more straightforward and can be done by the user without admin access. Please be aware that Homebrew will need to be installed first. There is a link to install this at the link above.
    • Linux will require root/sudo if you want to use the system packager rpm,deb,pacman. But can be done in userspace it you just download the binary directly.

After Step Installation:

  • Open a Terminal, CMD shell, or PowerShell window and run the following: ```
  • step ca bootstrap --ca-url --fingerprint adb703fd18f176937743b20228d52af7a705d63a0471cd67428660be5fd006bf
  • step ssh config --set Provisioner=keycloak --set ```
    • Be sure to change “” to your own SCINet username
    • If the step config command fails, ssh-agent probably isnt running. See instructions above.

These commands will do the following:

  • Gets the initial cert from the certificate authority.
  • Sets up your ssh profile to simplify future logins

These commands only need to be done once. The second command updates your .ssh/config file. If you already have a complicated structure in there you may wish to review it. The changes are fine for most, but particularly if you already have ceres entries in yours there could be conflicts.

Usage Instructions:

  • Please note, if you are using a YubiKey, please see the Yubikey login instructions
  • Each morning on your first attempt to ssh to Ceres with ssh or Atlas with ssh, (changing to your own SCINet username) you will see something like this:

    • Your default web browser should open automatically to the SCINet authentication page. Choose USDA LincPass as your sign-in option. screenshot of Login Screen with Legacy Selection
  • You will then go through a typical eAuth based login. You will select your applicable option (either USDA or Non-USDA), select login with your PIV/CAC and enter your pin. See the images below for an example.

screenshot of usda eauth highlighted screenshot of non-usda eauth highlighted screenshot of piv/cac selection highlighted

  • Now go through your usual eAuth based login.
    • Please Note: There could be complications here if its your first time using eAuth.
  • Go back to your shell and you should see “CA:” followed by your regular login.

screenshot of Login Screen with Legacy Selection

After these steps, command line ssh works normally. The only different is that it will not prompt you for a password for the day (16 hours). Note: With the below examples, you will swap for your own SCINet username.

scp file1 file2 

Access Using Linux and LincPass

Ensure that you have the following prior to continuing:

  • Your card reader must work with your distro
  • Your Lincpass must be detected by your distro
  • The root certs installed properly for your distro which can be found here
  • The Intermediates as well can be found here

To test that everything is functioning properly, you must log into something that requires eAuth, such as your USDA Office 365 account.

Once you have successfully authenticated using eAuth, you will need to install Step following the instructions here

  • A current version can be found here

You will then configure Step according to our instructions above.

Finally, you will test eAuth access to SCINet using ssh, making sure to change “” to your own SCINet username.

Notes and Limitations

  • If you use multiple profiles in Chrome, step will open a new window in whichever profile was used last. If you end up in the wrong one just close it, do something in your work profile and rerun the ssh login command.
  • Windows users will find most tools other than the built-in windows ssh command line tools no longer work.
  • Mac and Linux users may have a bit more luck, but anything beyond command line tools probably won’t work anymore.
  • For graphical file transfers globus is still the preferred method and will continue to work.
  • After logging in via OIDC you will not have any automatic Kerberos tickets. You will need to kinit if you need them.

If you have any questions or issues, please contact the VRSC at

Accessing GUI Based Services

This process will be the same for all GUI based SCINet Services. Please follow the instructions below. If you have further questions or issues, please email

Accessing Using LincPass

If you are a LincPass holder, you will only select the option of “USDA LincPass” when logging into GUI services such as Open OnDemand, Galaxy, and the SCINet Forum.

After selcting this, you will be automatically directed to login using your usual eAuth based login.

Accessing Using YubiKey

  • When logging in, you will enter your SCINet credentials (username and password) and click “Sign In”.

  • You will be directed to a new screen showing your available security keys. You will select “Sign in with Security Key”. The system will then prompt you for a PIN. This is the PIN provided to you with your YubiKiey via email. If you were not given one, please contact the VRSC by emailing

  • A pop up will appear asking you if you would like to use your passkey. You will select “Use a different device” in the bottom left corner.

  • The next pop-up will have three options. You will select “USB security key”.

  • The final pop up will instruct you to insert your security key and touch it. You will now insert your USB YubiKey (if you haven’t already) and then touch it. This will then automatically log you into the service you were attempting to access.

  • This step will remain the same for all GUI-based services such as Ceres OpenOnDemand, Galaxy, the SCINet Forum, and others.

If you need assistance with this login process, please email your questions to