Introduction: Access, Login and Security

User Access

Persons who do not have an HLRB account need to apply for a project via the usual web form at

http://www.lrz-muenchen.de/services/compute/hlrb/projectproposal/

Questions concerning the usage should be directed to the LRZ HPC support team, preferably via the LRZ trouble ticket system referenced there. A member of our support team will then attend to your needs.

---

Login and Security

Two mechanisms are provided for logging in to the system; both incorporate security features to prevent appropriation of sensitive information by a third party.

Login with Secure Shell

Access via ssh (Secure Shell) is described in detail in the LRZ Document about ssh.

From the UNIX command line on one's own workstation the login to an LRZ account xxyyyyzz is performed via

ssh -X hlrb2.lrz-muenchen.de -l xxyyyyzz 

Please also bear in mind the following notes:

• The IP address of your front-end machine must be associated with a valid DNS entry, and must be known to us, otherwise your ssh request will not be routed. Additional entries or changes can be submitted via a modification request in the project application form.

• The LRZ domain name is mandatory if accessing from outside the Munich Scientific Network

• The -X option is responsible for tunneling of the X11 protocol, it may be omitted if no X11 clients are required.

Backup login node

In case of failure of the login node you can also log in to

ssh -X login2.hlrb2.lrz-muenchen.de -l xxyyyyzz

However, this machine is an EM64T based system and hence binary incompatible to the Itanium processor used in the Altix. While a development environment is available on that machines, you cannot run any binaries generated here on the Altix! Please use this node only for

• Editing of files
• Transfer of datasets
• Submitting and administration of your PBS jobs.

Secure Shell Public Keys

The Secure Shell rsa public key is given in the following link (please add these to ~/.ssh/known_hosts on your own workstation before logging in for the first time):

SSH Public Key

Login via Grid Services using GSI-SSH

An alternative way of accessing the HLRB-II is to use GSI-SSH, which is a component of the Globus toolkit and provides

• terminal access to your account
• a single sign-on environment (no password required to access other machines)
• easy access to a number of additional functionalities, including secure and parallel file transfer

The prerequisites for using it are

• a Grid certificate installed on your machine and acknowledged by LRZ, as described on the LRZ Grid Portal. Please note that TUM, LMU, and LRZ members can use the new and easy short lived credential service (SLCS) of the DFN as an alternative: it allows you to immediately obtain a certificate for Grid usage!
• a Java installation including JRE or JDK.
• an installation of GSI-SSH client on your own workstation, as described on the LRZ Grid Portal.

Changing password or login shell, viewing user account data

The direct use of the passwd and chsh commands to change passwords and login shells respectively has been disabled.

Please use the LRZ ID portal instead:

1. Log in to the web interface using your account and password
2. For changing your password, select the entry "Passwort ändern" in the category "Self Services". In the main window, you are then prompted for your old password once, and for the new password (needs to have between 6 and 20 characters) twice. Once you have filled in all three fields, press the button "Passwort ändern" in the main window.
3. For changing your login shell, select the entry "Login-Shell ändern" in the category "Self Services". For the platform "HLRB", select the new login shell from the drop-down menu and then press the button "LoginShells ändern" in the main window.

The ID portal also offers functionality to view your user account data.

---

Advanced questions about Login and Security

Why can't I open additional windows after logging in?

There are a number of possible reasons for this:

1. You forgot to specify the -X switch to ssh when logging in from the remote host

2. If you got an error message

   error in locking authority file
   /home/<..>/myaccount/.Xauthority
   

   please check your $HOME filesystem quota (command "quota"). If this command indicates a quota overflow, you need to delete files from your $HOME directory, possibly after archiving them to TSM background tape storage.

How can I access my subversion (SVN) server

The hlrb2-firewall permits only ssh-connections.

• If your subversion server allows access via svn+ssh you need to add the servers IP address to the list of allowed IPs for your project (use our webform).
• If the server can only be reached via https, you need to use portforwarding to establish a connection between the subversion server and hlrb2.
  1. To use portforwarding issue the following command on the workstation you normally use to ssh into hlrb2.lrz-muenchen.de:
     ssh -l <HLRBLoginName> -R <arbitraryPortNumber>:<svnServer>:443 hlrb2.lrz-muenchen.de
Example:
ssh -l h0000xx -R 10443:pmviewer.svn.sourceforge.net:443 hlrb2.lrz-muenchen.de
     You will be prompted for your hlrb-Password.
  2. After successful login to hlrb2 type:
     svn <svnCommand> https://localhost:<ForwardedPortNumber>/<svnDirectoryPath>
Examples:
svn list https://localhost:10443/svnroot/pmviewer
svn co   https://localhost:10443/svnroot/pmviewer pmviewer
     (You might need to delete the localhost entry from ~/.ssh/known_hosts if ssh complains about the host-key.)

---

LRZ-specific Configuration 

Moving data from/to the high performance systems

FTP access to the high performance systems from outside is disabled for security reasons. Please use scp (Secure Copy) for encrypted transfer of data between platforms. For example:

scp myfiles.tar.gz <my_user_name>@hlrb2.lrz-muenchen.de:<target_dir>

Interactive and batch jobs

Interactive use of this machine should be restricted to compilation runs and small test jobs. Please do not use the interactive CPU set for production work. There is a strict limit on interactive CPU-time for any given job. Further resource limits for interactive sessions can be determined by entering the command

/usr/bin/ulimit -a

Information about batch job setup and resources can be found on the corresponding LRZ webpage.

X11 protocol: Firewalled

The cluster is protected from certain types of external attacks by a firewall. Among certain other restrictions, direct X11 connections (via xhost or xauth) are prohibited. Please use the -X switch with the ssh login to tunnel the X11 protocol; details are given in the appropriate LRZ document.

Finding files quickly

Sometimes you want to locate a file rather quickly (e.g. a system header file). You can use the locate program for this task: In regular intervals an index of all (or almost all) files is compiled. With the simple command

locate system.h

you will get a quick listing of all system.h files on the machine (at least all files of this name which are accessible to you) present in this index.

Caveat: Only files in the index are listed, and the index may be up to a week old. Also, only files that you can normally see are listed (not files from other users or hidden system files).

---

Documentation

System Documentation

As is typical for Linux systems, there are (at least) two formats for the system documentation:

• man pages
• info pages
• Documentation for additionally installed software packages is available on the LRZ Linux software webpages.

Protected Documentation 

• Most of the documentation ín contained in the  LRZ Linux documentation/manual pages.

• Part of the LRZ Linux documentation/manual pages (especially commercial or vendor specific software) is password protected.
  Please log in to the system (hlrb2) and type
      get_manuals_passwd
  to obtain the user name and password required for validation.