This document provides instructions on how to log into the Berkeley Research Computing (BRC) high performance computing (HPC) clusters - Savio and Vector - at the University of California, Berkeley.
Unlike most remote computer systems that you may have encountered to date, when logging into the BRC clusters (via SSH), you'll need to enter a password that changes each time you log in. You'll generate (create) these passwords - known as One Time Passwords (OTP) - using the Google Authenticator application on your smartphone or tablet.
Requiring time-expiring, one-time-use passwords helps protect your work and data from unauthorized access - and potential damage or alteration - by intruders. Moreover, it helps protect the cluster itself from attacks, so that it can remain highly available to the campus community.
Setting up one-time password authentication
Setting up your mobile device to generate these one-time passwords, so you can log into the BRC clusters, is fairly straightforward. It typically takes between 10 and 30 minutes, and you only need to do it once. Please follow these instructions.
Logging into BRC Clusters
1. Make sure that the Google Authenticator app is running on your smartphone or tablet. (You’ll need to enter a one-time password displayed by this app at step 3, below.)
2. On your laptop, desktop, or other device running a terminal/SSH program, connect to the cluster via SSH; e.g.:
(Be sure to substitute your actual username for the placeholder
yourusername in the example above.)
3. At the
Password: prompt, enter the token PIN, followed immediately, without spaces, by the 6-digit one-time password currently displayed by the Google Authenticator app on your smartphone or tablet; e.g.:
For instance, if your PIN was
9999 (hint: don’t use this example as your own PIN!), and the one time-password currently displayed by Google Authenticator was
123456, you’d enter the following at the
Please note that no characters will appear on the screen in the password prompt when you enter in the digits.
If you've already set up your token but are unable to log in successfully - here's what to try:
1. Make sure you're including the PIN as part of your password
Password: prompt, make sure that you're entering your token PIN, followed immediately by the 6-digit one-time password from Google Authenticator. (There should be no spaces or punctuation between the token PIN and the one-time password.)
2. Wait to enter the one-time password until a new one has just been displayed
If the 'countdown clock' indicator in the Google Authenticator app is nearing its end, signifying that the existing password is about to expire, try waiting until a new one-time password has been displayed. Then enter that new password, immediately after your PIN, at the
3. Check that, in your SSH command or in the configuration for your SSH application, you're using your correct login name (i.e., your Linux user name) on the cluster
In particular, make sure that you're not inadvertently using the name of one of your SLURM scheduler accounts (which typically begin with
fc_ for Faculty Computing Allowance users or
co_ for Condo partners), in place of your login name.
4. Check that, in your SSH command or in the configuration for your SSH application, you're using the correct hostname for the cluster's front-end/login nodes,
hpc.brc.berkeley.edu, or for its Data Transfer Node,
5. Test - and if needed, reset - your token or its PIN
- Visit the Non-LBL Token Management web page.
- Log in to this Token Management page, by clicking the button for the relevant external account (University of California, Berkeley [i.e., your CalNet ID], Facebook, Google, or LinkedIn) that you used when you set up your token, and then following the onscreen directions.
- A list of one or more tokens should then be displayed. From this list, find your relevant token: the one that you entered into Google Authenticator on the smartphone or tablet you're currently using. (If you want to check this further, the "TOTP number" that appears in the box for your token, on the Token Management web page, should match the TOTP number in Google Authenticator's window on your device. On some small devices, you might need to press/click and hold on the token's entry to see the TOTP number, and perhaps even pivot the device to landscape mode to read the full number.)
- If there's only a "Reset" option in your relevant token's box, click that link. Then proceed to the next step, below.
- If there's a "Test" option in the token's box, click that link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
- If your test(s) fail, click "Done". Then click the "Reset PIN" link and reset your PIN. (You can even 'reset' it to your current PIN.)
- Try the "Test" option once again. In the token's box, click the "Test" link, then enter your PIN followed immediately by your Google Authenticator 6-digit one-time password, and click the "Test Now" button.
- Once you get a successful test of your PIN plus one-time password on this web page, you can try logging into the cluster once again and see if you're successful there, as well.
- If the "Test" option keeps failing, check the time on the device where you are generating the one-time-passwords. Make sure the time on the device is in sync with the network time.
6. Try creating a brand new token and add the new token to Google Authenticator, as described in the instructions above. (Before or after doing this, you can delete your existing token - both on the LBL Token Management web page and in the Google Authenticator app on your device - to avoid any confusion with the new token.)
7. If none of the above tips give you a clue on what is not working, try to SSH to BRC resources from a different IP address i.e from a different computer or laptop. If that works email the IP address from where its not working to BRC support @ email@example.com.