Link to the new User Guide https://docs.hpc.cineca.it/index.html

 

Prerequisites

Access to any section of the Cineca HPC necessitates the activation of two-factor authentication (2FA) for each USER ACCOUNT. This additional security measure verifies user identity by requiring an independent second factor, ensuring a higher level of security. Even if the correct ACCOUNT USER password is used, 2FA prevents unauthorized access, enhancing the overall security of the system.

This access modality operates seamlessly for users, who continue to utilize standard protocols such as the SSH client. Before connecting to the cluster, users must request an SSH certificate from our Identity Provider (IP) via the smallstep client. Upon making the request, a web page will automatically open in the browser, prompting users to authenticate with our IP by entering a one-time password (OTP). Following successful authentication, the server will issue a time-limited certificate valid for 12 hours. This certificate allows users to connect to CINECA systems via SSH client.


First access

For first-time access and activation of 2FA, follow these steps:

  1. Configure OTP and Password:

    • Activate the 2FA set-up from the link you received by email after you have been enabled to our systems.
    • Configure OTP (One-Time Password) authentication for your account.

  2. Install and Configure the Smallstep Client:

Note: For services like Adacloud that authenticate via web, smallstep installation and configuration are unnecessary. The website will prompt for password and OTP during login.

Access to the systems

Once you activated the 2FA, configured the smallstep client, and obtained the temporary certificate (via smallstep client with the step comand) you can have access to CINECA HPC sections in different ways:

Access via Secure Shell (SSH)

SSH is commonly employed for remote access to a machine, allowing users to execute commands (remote console), run programs, and transfer files securely. On Linux and Mac systems, the SSH client is typically pre-installed. However, on Windows systems, users need to download and install an SSH client. Some popular SSH clients for Windows include  Powershell, openSSH, Putty or Tectia. Connection adopting 2FA procedure does not require to provide password.

After 12 hours, a new certificate must be generated using the smallstep client.

The access is done via one of the following commands:

ssh <username>@login.marconi.cineca.it
ssh <username>@login.g100.cineca.it
ssh <username>@login.leonardo.cineca.it

You can use option -X  to enable X11 display forwarding.

You will login to our systems with one of the two shells: bash or tcsh. Contact the HPC support (superc@cineca.it) if you want to change your default login shell.

Note

  • Login is prevented on systems in which you don't have budget accounts.
  • We have identified a potential issue for local PC with openssh 8.6 (check with the command "ssh -V"). The solution can be found here in our FAQ page.
  • If you receive the error message "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" please check the FAQ section.

Remote Connection Manager (RCM)

The remote visualization service at Cineca is provided through the Remote Connection Manager (RCM) application. Using this tool you can graphically inspect your data without moving them to your local work station. A guideline to connect via RCM is provided here.

Note: Similar to SSH, connecting via the Remote Connection Manager (RCM) does not require a password.

Managing Password

With the new Identity Provider website service, users can now manage their authentication credentials personally. This includes tasks such as resetting passwords, reconfiguring OTPs on smartphones, and generating new recovery authentication codes. Procedures for all cited tasks are reported here.

Access to download or upload data

You can use several protocols or utilities to access our systems to upload or retrieve your data:

  • via SCP (Secure Copy) or SFTP (SSH File Transfer Protocol) functions;
  • using RSYNC (remote sync) utility. You can find a dedicated page on how to use efficiently rsync on our systems.
  • using GridFTP:  a protocol that allows very efficient data transfers among different HPC platforms. A detailed description is reported in a specific document Globus Online.

Additional details can be found on Data transfer dedicated page.


Typical Issues

Once the initial 2FA set-up is complete, users can manage authentication-related issues through the Identity Provider Website, from which is possibile to:

Policy for password definition

If you change the password on the portal sso.hpc.cineca.it, it will be automatically changed on all the clusters (the propagation can take up to one hour).

We set new policies for the definition of the password.
They are the following:

- The new password has to be at least 10 characters long and contains at least 1 capital letter, 1 number, and 1 special character (!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~)
- The password has a validity of 3 months. You will receive a reminder 10 days before the expiration when you login.
- The new password has to be different from the previous 5 ones.
- Any password change will be notified to the user by email.

  • No labels