Skip to content

Login (SSH and Clifton)

Account Creation

You will not be able to connect to the BriCS facilities using SSH until your account has been created. Account creation can take up to one business day after setting your UNIX username.

Generating your SSH key pair

The first step is to make sure you have an SSH key pair. This is used to authenticate you when you try to log into any of the centre's supercomputers using SSH.

Supported SSH key types

We only support modern SSH keys (i.e. RSA keys of 3072 bits or more, or Ed25519, or any other modern, post-2014 key type). We do not support DSA keys, or RSA keys of less than 3072 bits. Any key generated using a modern version of ssh-keygen should be fine, e.g. the private key must contain -----BEGIN OPENSSH PRIVATE KEY-----

If you already have a key pair then feel free to use it. But if you don't have an SSH key then you can generate one using ssh-keygen. Instructions on how to do this can be found, for example, at GitHub's documentation on generating an SSH key.

Setting up an ssh-agent (as described in that previous link) is not a requirement, but we recommend it.

Connecting using clifton

To connect to one of the BriCS facilities using SSH you will need to use signed SSH certificates. We provide a command line tool called Clifton for obtaining SSH certificates and configuring your SSH client to use these. The certificates are valid for 12 hours.

First check the latest release of Clifton for the name of the executable for your platform, e.g. to download the executable for Apple Silicon (Arm) Macs (clifton-macos-aarch64) from the command line using curl:

curl -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-macos-aarch64 -o clifton

curl -L https://github.com/isambard-sc/clifton/releases/download/0.2.0/clifton-linux-aarch64 -o clifton

curl -L https://github.com/isambard-sc/clifton/releases/download/0.2.0/clifton-linux-x86_64 -o clifton

You can also download the executable for the latest release of Clifton through your web browser.

Make Clifton executable

On Linux and macOS, you will have to use chmod u+x clifton to make clifton executable.

Allowing Clifton to run on macOS

If you download the Clifton through your web browser, you may be presented with a macOS warning dialog when trying to run the executable, e.g.

"clifton-macos-aarch64" can't be opened because Apple cannot check it for malicious software.

If this occurs you will have to go into "System Settings > Privacy & Security" and allow use of the clifton executable (see Open a Mac app from an unidentified developer from the macOS documentation). Note that you will need to have admin privileges to change the settings in "Privacy & Security".

To use Clifton to obtain an SSH certificate:

./clifton auth

Specify an SSH key for Clifton to use

By default Clifton will look for existing SSH keys in standard locations (e.g. ~/.ssh/id_ed25519). If the your SSH key is in a non-standard location, you can tell Clifton which key to use to create the certificate by using the --identity option, e.g.

./clifton auth --identity /path/to/ssh_key

The auth command will open your browser and direct you to the portal, where you can authorise access to Clifton. Use the same account to login as you did during the setup stage. Alternatively, you can scan the QR code on your mobile. On successful authentication you will see something like the following:

Successfully authenticated as YOUR_EMAIL_ADDRESS (YOUR_SHORT_NAME) and downloaded SSH certificate for projects:
 - PROJECT_NAME

Certificate file written to ~/.ssh/id_ed25519-cert.pub
Certificate valid for 11 hours and 59 minutes.
You may now want to run `clifton ssh-config write` to configure your SSH config aliases.

Using the ssh-config write command, Clifton will write a ssh config file ~/.ssh/config_clifton and Include it in your main ssh config ~/.ssh/config:

./clifton ssh-config write

You will now be able to login using your project-specific account into a BriCS facility that the project is authorised to access. Currently, FACILITY would be aip1, 3, or macs3 for Isambard-AI, Isambard 3 Grace and Isambard 3 MACS respectively.

ssh PROJECT_NAME.FACILITY.isambard

Finding the short project name

A list of project short names you are able to connect to is output by the clifton auth command after authenticating.

To find out the names of projects you are able to access at a later time, run

clifton ssh-config

which will display configuration for each of the per-project SSH host names you are able to connect to, each starting with a project name, i.e. <PROJECT>.<FACILITY>.isambard.

SSH Certificates are only valid for 12 Hours

Your signed SSH certificates are only valid for 12 hours. After 12 hours, you will need to rerun ./clifton auth

What's next?

Now that you have logged in to a supercomputer, you can start using the services provided by the Bristol Centre for Supercomputing.

Please explore the rest of the documentation to learn more. You can submit your first batch job using slurm, or go through the tutorial to create your own chatbot!