a. Login and Authentication
Nine times out of ten, slowness at login, starting file transfers, failed SFTP sessions, or slow batch command starts is caused by un-needed module loads in your .bashrc
We do not recommend putting multiple module loads in your .bashrc as each and every new shell you or your jobs create will call those module loads. It is recommended that you put your module loads in your job scripts so that you are not loading un-needed modules and waiting on those module calls to complete before commencing the job. Alternately, you can create a login script or alias containing your frequently used modules that you can run when you need to use them.
Either way, try to keep any module loads in your .bashrc down to a bare minimum, calling only those modules that you absolutely need in each and every login or job.
Additionally, as time goes on modules change or are removed. Please ensure you remove any deprecated modules from your .bashrc or other scripts. For example, the legacy modules no longer exist. So if you have a call to 'module load legacy' and any of the legacy modules, your login will be delayed as the module system searches for and then times out on those non-existent modules.
Having a non-standard default shell will cause problems and does not allow us to set global environmental defaults for everyone. As of Odyssey3 we will no longer change the default shell on any account or support the use of alternate shells as default login shell.
Users who do not have bash as their default login shell will need to change back to bash. Users can, of course, still launch an alternate shell once logged in.
Table of Contents
- 1 a. Login and Authentication
- 1.1 My login is slow or my batch commands are slow
- 1.2 My alternate shell (csh, tcsh, etc.) doesn’t work right
- 1.3 SSH key error, DNS spoofing message
- 1.4 Mac/Linux
- 1.5 Windows/PuTTY
- 1.6 SFTP exits after a few seconds
- 1.7 What happens to my account when I leave/graduate?
- 1.8 How do I request membership in an additional lab group?
- 1.9 Can I use SSH keys to log in without a password?
- 1.10 How do I get a Research Computing account?
- 1.11 Before You Sign Up
- 1.12 The Process
- 1.13 Can I share an account? – Account Security Policies
- 1.14 How do I login to Odyssey?
- 1.15 How do I reset my Research Computing account password?
- 1.16 How do I unlock my locked Research Computing account?
- 1.17 How do I install and launch OpenAuth?
- 1.18 How do I logon to the Research Computing VPN?
- 2 Billing
Whenever nodes are updated (for instance, the May 2018 upgrade to CentOS 7), if there is a significant change to them then the SSH key fingerprint is likely to change. As you've already stored the fingerprint locally, you will receive a key mismatch error like "WARNING: POSSIBLE DNS SPOOFING DETECTED!" and "The RSA host key for login.rc.fas.harvard.edu has changed".
To fix this, you will need to remove the key in question from your computer's local known_hosts file. If you are on a Mac or Linux, you can use the following command from a terminal window on your computer.
ssh-keygen -R login.rc.fas.harvard.edu
If the error was for a specific node, replace 'login.rc.fas.harvard.edu' with the full name of that host.
You can now log into the node and will receive an all new request to store the new SSH key.
The example in the screenshot above assumes that your username on your local machine (jharvard, in this case) matches your Odyssey account username. If this is not the case, you will have to login with your username, explicitly, such as:
Please note that there are several nodes behind the 'login.rc.fas.harvard.edu' hostname, so you may receive more errors like the above. Answering yes will allow you to continue.
Alternately, if you primarily only interact with the Odyssey cluster, you may find it easiest to simply remove the known_hosts file and let it be created from scratch at next login. Mac and Linux users can do so from a terminal on their computer with the following command:
PuTTY may prompt you to update the key in place, or it may require updating a registry entry to correct this. If the latter, you will need to remove the known_hosts from the registry:
- Open ‘regedit.exe’ by doing a search or by pressing the "Windows Key + R" and type "regedit" and hitting enter or try opening C:\Windows\System32\regedt32.exe
HKEY_CURRENT_USER\Software\[your username here]\PuTTY\SshHostKeys
- Remove all keys or find and delete the individual key you need to remove
- Restart your computer, changes won't take effect until after a restart.
When connecting via a SFTP client like Filezilla, if you experience a short delay and then disconnection, this is most likely an issue caused by your .bashrc
During SFTP connections, your .bashrc will be evaluated just as if you were logging in via SSH. If you've added anything to your .bashrc that attempts to echo to the terminal/standard out, this will cause your SFTP client to hang and then disconnect.
You can either remove the statement in your .bashrc that is writing output (an echo statement, a call to an app or module that sends a message to standard out, etc.) -or- you can put the offending statement into an evaluation clause that first checks to see if this is a interactive login, like so:
if [ “$SSH_TTY” ]
echo “SFTP connections won’t evaluate the things inside this clause."
echo "Only real login sessions will.”
Your RC account is only valid while sponsored by an eligible faculty member. Once you leave the university, your account is subject to closure.
In order for a leaving user to continue to keep an open RC account, FAS RC will need a record of the sponsor's direct OK to continue.
If you need to continue access after leaving, please have your PI/sponsor contact us (via our Portal or by emailing firstname.lastname@example.org from their university email account.) Please understand that a forwarded email is not sufficient as this could be easily forged by someone attempting to game the system.
If you have a FAS RC account already and need to request membership in an additional group, you can do so from our Portal.
- Log into the Portal and select 'Odyssey Access' on the left (or click here: https://portal.rc.fas.harvard.edu/request/ )
- Two new links should appear on the left
- My Grants - Shows you all your current grants/memberships
- Add Grants - Lets you request new grants/memberships
- Find the grant you wish to add and select its check box. A window will pop up allowing you to Cancel or Request Selected.
After clicking Request Selected, an approval message will be sent to the group's approver (usually the PI, their lab manager, admin,etc.) Once they approve your request, you will receive a notification via email.
You can check the status of your request by clicking on the My Grants link at any time.
No. Our cluster login relies on two-factor authentication. This makes using key-based authentication impractical.
Before You Sign Up
|Please Note: You may have only one RC account. If you need to add cluster access, membership in a different/additional lab group, change your email address, etc. then please submit a help ticket. Please do not sign up for a second account. This is unnecessary and against our account policies.|
To request an account to access resources operated by Research Computing. (Odyssey Cluster, Storage, Software Downloads, Workstation access, Instrument sign-up, etc.), please proceed to the
PLEASE NOTE: Do not select FACULTY as your job type is you do not have a faculty appointment. If you are a researcher with additional rights (fellowship, PI-like rights, funding, etc.), please select STAFF or POSTDOC. Faculty accounts are intended only for those holding an active Associate Professor or higher appointment.
Once you've submitted the request, the process is:
If You Selected: Internal/Using Harvard Key to verify your information and qualifications:
- The request is on hold while the PI is asked to approve or reject it.
- Once approved, the account is finalized and set up.
- Once finalized, you receive an automated email confirmation with your new account information and instructions for setting the password.
If You Selected: External/Not using Harvard Key to verify your information and qualifications:
- The request goes to RC personnel to check that it is complete and meets affiliation requirements.
- Once approved by RC, an email is sent to your PI to approve/reject the request.
- The request is on hold while the PI is asked to approve or reject it.
- Once approved, we finalize the account on our side (during business hours).
- Once finalized, you receive an automated email confirmation with your new account information and instructions for setting the password..
You can then proceed to set up your OpenAuth token and get connected to Odyssey. The turnaround time is directly related to the PI/Sponsor's approval of the account. External accounts are reviewed by RC staff during business hours and generally vetted and sent on to the PI/Sponsor for approval within one business day
NOTE! If you request "Odyssey Cluster Use" (the ability to run jobs on the cluster), you are required to complete the online Introduction to Odyssey course within 45 days of your account being issued.
The sharing of passwords or login credentials is not allowed under RC and Harvard information security policies. Please bear in mind that this policy also protects the end-user. Sharing credentials removes plausible deniability for the account holder in case of account misuse. Accounts which are in violation of this policy may be disabled or otherwise limited.
If you find that you need to share resources among multiple individuals, please contact us and we will be happy to assist you with finding a safe and secure way to do so.
Step 0: Ensure that you've requested an account, your PI has approved the account request, and that you've received an Account Approved notice from RC.
Step 1: Launch the OpenAuth application. For instructions on how to install and launch OpenAuth please see here.
Step 2: Launch a Terminal application.
Step 3: Using your Terminal application, connect through login.rc.fas.harvard.edu using ssh. If you are running Linux or Mac OSX it is as simple as running:
USERNAME is the name you were assigned when you received your Research Computing account. (Add
-Y if you have an X11 server installed and desire graphics support.) If you are on Windows, download PuTTY or your favorite ssh software and connect to login.rc.fas.harvard.edu.
You will be asked for your Research Computing password and OpenAuth Verification Code upon connecting. The hostname login.rc.fas.harvard.edu is a round-robin to some of our hosts named rclogin##.rc.fas.harvard.edu, so that is what you will see in your shell prompt once connected.
Note: In certain instances you will need to be logged on to the Research Computing VPN to access Odyssey. Please see the VPN setup page for instructions on how to logon to the Research Computing VPN.
For more details on access to the Odyssey cluster see the Access and Login page.
Please click here to reset your Research Computing account password using your email address.
This will send an email to you with a one-time use link to set a new password.
Please note: Your username is not your email address. Your email address is used here only for password resets and to contact you.
Once your account is locked, your account will automatically unlock after 15 minutes.
If your account is 'unavailable' or disabled, you will need to contact us so we can look at why and resolve any pending problems or questions regarding your account. If your account has not been used in a very long time (6 months or more), it may be disabled as a security caution.
If you do not yet have an account, see: How do I get a Research Computing account?
Setting Up Your OpenAuth Token
- Visit https://software.rc.fas.harvard.edu/oa to start setup of OpenAuth.
- A login box will appear. Log in with your FAS RC username and password (your username is not your email address or Harvard Key, it is the short username you initially set up when requesting an account. Example: jsmith )
- After logging in, allow a few seconds as the site generates your token.
- A page will be displayed outlining next steps
- Await an email. This email will contain a link to your personalized token. You can download the Java applet or use the QR code on that page to add your RC token in Google Authenticator or Duo Mobile
Since the site uses email verification to authenticate you, you must also have a valid account and email address on record with Research Computing. All OpenAuth tokens are software-based, and you will choose whether to use a smart phone or java desktop app to generate your verification codes. Java 1.6 or higher is required for the desktop app.
You will need to use OpenAuth when accessing the Research Computing VPN and logging into the FAS RC cluster.