Login (SSH and Clifton)¶
Setting your UNIX short name¶
Before you can log in to any of the BriCS facilities you will need to set your UNIX short name. This is a short name that is unique to you and is used to identify you on the system. Make sure you have set your UNIX short name by following the instructions in the guide.
Generating your SSH key pair¶
The first step is to make sure you have an SSH key pair. This is used to authenticate you when you try to log into any of the centre's supercomputers using SSH.
Supported SSH key types
We only support modern SSH keys (i.e. RSA keys of 3072 bits or more,
or Ed25519, or any other modern, post-2014 key type). We do not support
DSA keys, or RSA keys of less than 3072 bits. Any key generated using
a modern version of ssh-keygen should be fine, e.g. the private key must
contain -----BEGIN OPENSSH PRIVATE KEY-----
If you already have a key pair then feel free to use it.
But if you don't have an SSH key then you can generate one using ssh-keygen.
Instructions on how to do this can be found, for example, at GitHub's documentation on generating an SSH key.
Setting up an ssh-agent (as described in that previous link) is not a requirement, but we recommend it.
Connecting using clifton¶
To connect to one of the BriCS facilities using SSH you will need to use signed SSH certificates. We provide a command line tool called Clifton for obtaining SSH certificates and configuring your SSH client to use these. The certificates are valid for 12 hours.
Install¶
The latest release of Clifton is available at GitHub but we describe below automatic ways to install it. To install Clifton choose your operating system from the tabs below:
Download the binary of Clifton using curl:
curl -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-macos-aarch64 -o clifton
chmod u+x clifton
curl -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-macos-x86_64 -o clifton
chmod u+x clifton
If you want it accessible from any directory on your computer, you can place the binary in /usr/local/bin with:
sudo mv clifton /usr/local/bin/
If you don't, you will need to specify the path to the executable when running it.
So instead of clifton auth as described below you would run e.g. ./clifton auth or ~/clifton auth.
To update Clifton, run those same commands again.
Allowing Clifton to run on macOS
If you download the Clifton through your web browser rather than with curl, you may be presented with a macOS warning dialog when trying to run the executable, e.g.
"clifton" can't be opened because Apple cannot check it for malicious software.
If this occurs you will have to go into "System Settings > Privacy & Security" and allow use of the clifton executable (see Open a Mac app from an unidentified developer from the macOS documentation).
Note that you will need to have admin privileges to change the settings in "Privacy & Security".
curl -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-linux-musl-x86_64 -o clifton
chmod u+x clifton
curl -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-linux-musl-aarch64 -o clifton
chmod u+x clifton
If you want it accessible from any directory on your computer, you can place the binary in ~/.local/bin (or any directory on your $PATH you wish) with:
mkdir -p ~/.local/bin
mv clifton ~/.local/bin/
If you don't, you will need to specify the path to the executable when running it.
So instead of clifton auth as described below you would run e.g. ./clifton auth or ~/clifton auth.
To update Clifton, run those same commands again.
Alternatively, a tool like mise can install it for you with mise use -g ubi:isambard-sc/clifton.
Clifton is avilable through WinGet. WinGet is a package installer from Microsoft which is installed by default on most Windows computers.
Open a terminal window (search for "Terminal" or "Powershell" in the search bar at the bottom) and run:
winget install clifton
You will then need to close and reopen the terminal window before you can run any clifton commands.
To update clifton, run winget upgrade clifton.
If WinGet is not avilable then you can download the file manually using
curl.exe -L https://github.com/isambard-sc/clifton/releases/latest/download/clifton-windows-x86_64.exe -o clifton.exe
If you have downloaded Clifton manually, when running it you will need to specify the path.
So instead of clifton auth as described below you would run e.g. ./clifton auth or ~/clifton auth.
Connect¶
To use Clifton to obtain an SSH certificate, run this in a terminal window:
clifton auth
Specify an SSH key for Clifton to use
By default Clifton will look for existing SSH keys in standard locations (e.g. ~/.ssh/id_ed25519).
If the your SSH key is in a non-standard location, you can tell Clifton which key to use to create the certificate by using the --identity option, e.g.
clifton auth --identity /path/to/ssh_key
Missing short name
If you see the error "Something went wrong: User short name is empty." then this means that you have not set your UNIX short name. Please follow the instructions in this guide to set your shortname, then try again.
The auth command will open your browser and direct you to the portal, where you can authorise access to Clifton.
Use the same account to login as you did during the setup stage.
Alternatively, you can scan the QR code on your mobile.
On successful authentication you will see something like the following:
Successfully authenticated as YOUR_EMAIL_ADDRESS (YOUR_SHORT_NAME) and downloaded SSH certificate for projects:
- PROJECT_NAME
Certificate file written to ~/.ssh/id_ed25519-cert.pub
Certificate valid for 11 hours and 59 minutes.
You may now want to run `clifton ssh-config write` to configure your SSH config aliases.
Using the ssh-config write command, Clifton will write a ssh config file ~/.ssh/config_clifton and Include it in your main ssh config ~/.ssh/config:
clifton ssh-config write
You will now be able to login using your project-specific account into a BriCS facility that the project is authorised to access.
Currently, FACILITY would be aip1, 3, or macs3 for Isambard-AI, Isambard 3 Grace and Isambard 3 MACS respectively.
ssh PROJECT_NAME.FACILITY.isambard
Finding the short project name
A list of project short names you are able to connect to is output by the clifton auth command after authenticating.
To find out the names of projects you are able to access at a later time, run
clifton ssh-config
which will display configuration for each of the per-project SSH host names you are able to connect to, each starting with a project name, i.e. <PROJECT>.<FACILITY>.isambard.
SSH Certificates are only valid for 12 Hours
Your signed SSH certificates are only valid for 12 hours. After 12 hours, you will need to rerun clifton auth
Shell timeout
Bash will terminate the session if no input is received within 24 hours. This limit is set to reduce issues with long running shell sessions (e.g. via software such as tmux) on the login node.
Host fingerprints¶
On first login you may be asked to confirm the identity of the remote server. These are the possible fingerprints of the host keys which are displayed:
Remote login server
| Host Key Type | Fingerprint |
|---|---|
| ECDSA | SHA256:U3sr8Uxo1JF/cgfpXRTs/D4E6wk8watGKGHdU9EjsJM |
| ED25519 | SHA256:WT11ouKX6R4Xw81pzLuvfxR0OU5xmf2jBkKESBA8Sfw |
| RSA | SHA256:bkNkrY6OpeBvbkyyKtGe5sAaDj713jIRDMFuHzjXarU |
Isambard-AI Phase 1
| Host Key Type | Fingerprint |
|---|---|
| ECDSA | SHA256:UePsqQ/AaDzDspJF4kxDIK2RS1W/a+T8w++Zb21fEtk |
| ED25519 | SHA256:mIqtQibJXK/Z1UtX66RMz9A/f7qhwF0gk+qb3ZHIlS4 |
| RSA | SHA256:RRRxm5WIRd+rLA3xg0SVwvmvxGgmiB6lGuO6DEEtudk |
Isambard 3
| Host Key Type | Fingerprint |
|---|---|
| ECDSA | SHA256:8kFv9/ywom3dJ2JUZbQEjc8yaRprsFJ2sho6a2sE1/g |
| ED25519 | SHA256:xoWObzEBWd71ZhUFmDxzsVHB1vHX4OexFfkY0m0rnkE |
| RSA | SHA256:o3+orD115AU8QlUhoLjrQBXCh47EeZzMkVfFHOYeW0I |
Isambard 3 MACS
| Host Key Type | Fingerprint |
|---|---|
| ECDSA | SHA256:8kFv9/ywom3dJ2JUZbQEjc8yaRprsFJ2sho6a2sE1/g |
| ED25519 | SHA256:xoWObzEBWd71ZhUFmDxzsVHB1vHX4OexFfkY0m0rnkE |
| RSA | SHA256:o3+orD115AU8QlUhoLjrQBXCh47EeZzMkVfFHOYeW0I |
What's next?¶
Now that you have logged in to a supercomputer, you can start using the services provided by the Bristol Centre for Supercomputing.
Please explore the rest of the documentation to learn more. You can submit your first batch job using slurm, or go through the tutorial to create your own chatbot!