How to login to Leonardo supercomputer

Leonardo supercomputer is one of the fastest supercomputers in the world and one of the recent additions in the EuroHPC JU family. Login to Leonardo follows strict requirements to ensure security, safeguarding sensitive information and ensuring the integrity of its operations.

Here are the step-by-step procedures to get started.

  • Registration at CINECA UserDB portal
  • Association your account with an active project
  • Request to access to CINECA HPC cluster
  • Configuration of 2FA and OTP
  • Install and configuration of smallstep client
  • Managing password, 2FA and OTP
  • Solution to an error message WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

1. Registration at CINECA UserDB portal

In order to have access on Leonardo, it is necessary to complete the registration procedure on CINECA UserDB portal

  • Click on the “Create a New User” button and filling in the required fields
  • Uploading an ID card (passport for non-Italian) in the Documents for HPC tab, complete the information about your Institution and check your Personal Data.
  • Your CINECA ID looks like YOUR.NAME_xxxxx [uid: xxxxx], in which xxxxx is a 5-digit string consising of numbers.

2. Association your account with an active project

Send your id account at CINECA to the project leader and ask for an access to an existing project.


3. Request to access to CINECA HPC cluster

  • Once your username has been associated with an active account, you can request access to CINECA HPC clusters.
  • Make sure following info are OK, see the figure below.
    • Personal data
    • Institution
    • HPC DOCs
    • Authorization
  • Clicking the button Submit on your HPC Access page.
  • Wait for several hours …
  • Once approved your request, you will receive two emails
    1. one email with the username
    2. another with the link to a page showing how to
      • configure the two-factor authentication (2FA)
      • configure the OTP

OBS: The link for the configuration of 2FA has a duration of only 24 hours. After its expiration you need to write to superc@cineca.it to get a new valid link.


4. Configuration of 2FA and OTP

Two-factor authentication (2FA) refers to an authentication method in which a user is granted access to the CINECA HPC systems only after successfully presenting two pieces of evidence (or factors).

Verifying your identity, using an independent second factor, prevents other users from logging in with your identity, even if they have the password.

Therefore, the two-factor authentication (2FA) adds a further level of security to the authentication for access to services based on the Identity Provider.

The detailed procedures for the configuration of 2FA and OTP are available HERE.

The last step, once you have successfully inserted the 6-digit code from FreeOPT/Goolge Authentiator, you will get the Recovery codes (shown below). Please save these codes somewhere by downloading, printing or copying in a text file.


5. Install and configuration of the smallstep client

Once the 2FA will be enabled as the only method to authenticate on CINECA clusters, you will need to install and configure on your PC a program that allows you to authenticate via 2FA and to download locally the temporary certificate. The CINECA recommends the smallstep client.

Detailed descriptions are available HERE.

IMPORTANT: users with Ubuntu operating systems (but may happen also for other Linux distributions) should not run the command “sudo apt install step” because this will install a different software that will give errors when following the below instructions.

Below are commands for Linux and Mac users.
Run the command below in your local shell:

step ca bootstrap --ca-url=https://sshproxy.hpc.cineca.it --fingerprint 2ae1543202304d3f434bdc1a2c92eff2cd2b02110206ef06317e70c1c1735ecd
Bash

you will get the following output:

The root certificate has been saved in <path-to>/.step/certs/root_ca.crt.

The authority configuration has been saved in <path-to>/.step/config/defaults.json.
Bash

Run the command below to activate the ssh-agent

eval $(ssh-agent)
Bash

Run the command below to obtain the certificate

step ssh login 'USER@EMAIL' --provisioner cineca-hpc
Bash

This command will report an output on the shell as follows:

This also leads to a webpage on your default web browser.
You should input your cluster credentials (username and password) and then click the button Sign in.

The keycloak page will ask for the OTP code generated by the FreeOTP/Google Authenticator. Once authenticated, you will see a Success message on your browser.

IMPORTANT: The the temporary certificate is valid for 12 hours. If you reboot your computer, the certificate is lost and you need to download a new one launching again the step ssh login … command.

Run the command at the terminal

ssh USERNAME@login.leonardo.cineca.it
Bash

If everything works well, you will now have access to the Leonardo cluster.


6. Managing password, 2FA and OTP

More details about change the password, recover one-time password generator, as well as renew the recovery codes are availalbe HERE.


7. Solution to the error message WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

During the 12-hour window, the temporary certificate generated at Step 5 works if you do not reboot your computer.

  • If you reboot your comptuer, you need to download a new one launching again the step ssh login … command.
  • If you log out the cluster, and want to login again to the CINECA cluster, you might got an error message shown below.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Bash

If this happens, you can find the known_hosts file at the ~/.ssh directory. In this file, you will see three lines containing cineca related information.

Delete these three lines and save the file before you exit.
Run the command below again, you can relogin to the CINECA cluster.

ssh USERNAME@login.leonardo.cineca.it
Bash

Enjoy programming!

Categories: