Skip to content

Login

Access to the ImpPhys HPC is provided via SSH through the bastion server linux-bastion-ex.tudelft.nl and for students student-linux.tudelft.nl. If needed, you can tunnel X11 to enable graphical output from the server.

Students must use bastion server student-linux.tudelft.nl

In the examples below students must replace linux-bastion-ex.tudelft.nl with student-linux.tudelft.nl.

Refer to the quickstart guide for the simplest method to log in with SSH.

Using ProxyJump on the Command Line

You can also use the ProxyJump option directly on the command line:

ssh -o ProxyJump=<netid>@linux-bastion-ex.tudelft.nl <netid>@jupiter-imphys.tnw.tudelft.nl

Configuring SSH with a Configuration File

For greater flexibility, add the following configuration to the config file in the .ssh directory of your home folder:

.ssh/config
Host bastion
    HostName linux-bastion-ex.tudelft.nl
    User <netid>
Host jupiter
    HostName jupiter-imphys.tnw.tudelft.nl
    ProxyJump bastion
    User <netid>
Host saturn
    HostName saturn-imphys.tnw.tudelft.nl
    ProxyJump bastion
    User <netid>
Host uranus
    HostName uranus-imphys.tnw.tudelft.nl
    ProxyJump bastion
    User <netid>
Host neptune
    HostName neptune-imphys.tnw.tudelft.nl
    ProxyJump bastion
    User <netid>

With this configuration, you can start a connection with ssh jupiter.

Logging in with an ssh-key

If you are tired of re-entering your password every time you make a connection, it is possible to log in with an ssh key instead. First you must generate an ssh key on your client pc. If you are using Windows open powershell, on unix open a terminal and run: 

ssh-keygen -t ed25519

You can choose all default options, setting a password is optional (but more secure). This generates a public private key pair in your $HOME/.ssh/.

Warning

Treat the private key (not ending with .pub) like a real life key. It is used to authenticate you at the remote location, and thus should not be shared with other users. The public key may be copied to the hosts where you want to authenticate yourself, while the private key should never move.

Next, we may copy over the ssh key to the remote. To copy the ssh key onto the remote in windows powershell, you may use 

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh <netid>@jupiter "cat >> .ssh/authorized_keys"

Note

The alias jupiter only works if the .ssh/config file is set as shown above.

On most unix system this may be done using

ssh-copy-id <netid>@jupiter

Afterwards, using ssh jupiter should no longer ask for a password.

Note

When you change your password, you also have to generate new ssh keys. If this happens, delete all keys in the $HOME/.ssh directory (both pub and non-pub), and generate new ones as specified above.

Tunneling X11

To tunnel X11 from the server to your computer, add the -X option. This will only work when using ProxyJump.

Apple computers: black background in Xquartz

On some Apple computers, XQuartz may show a inverted background (black). This can be solved by creating the file java.opts in your home directory on the server with the following contents:

java.opts
-Dsun.java2d.xrender=false
-Dsun.java2d.pmoffscreen=false

found here: https://github.com/XQuartz/XQuartz/issues/31

Renew Kerberos ticket

When you log in with your password on the servers, you will automatically receive a Kerberos ticket with a limited validity period of 20 hours. With this ticket, you can access the network storages in /tudelft.net/. Once the ticket expires, further access to these storages is denied.

It is possible to renew this ticket for up to one week. After this period, you need to log out and log in again to get a new ticket. You can automate the renewal process using the following instructions.

  1. create a keytab file /home/<netid>/keytab1 containing your encrypted password. This file will allow non-interactive renewal of your ticket (without typing your password):

    ktutil
addent -password -p <netid>@TUDELFT.NET -k 1 -e aes256-cts-hmac-sha1-96 -f
wkt /home/<netid>/keytab1

    Note: replace <netid> with your actual netid

  2. you can now renew your ticket using the keytab file:

    kinit <netid>@TUDELFT.NET -k -t /home/<netid>/keytab1

  3. you can automate this process by adding a crontab job to renew the ticket every hour:

    crontab -e
"i"
10 * * * * /usr/bin/kinit <netid>@TUDELFT.NET -k -t /home/<netid>/keytab1
"<ESC>"
":wq"

    Note: with crontab -e the vi editor will be opened with your crontab jobs. You can start inserting text (insert-mode) in vi with the letter i. When you are finished you can stop the insert-mode with the Esc key and write and quit with :wq (type the colon followed by wq).

Clearing stored Kerberos keys

If the above method for automatic renewal of the Kerberos ticket is used, it is possible that stale keys are not cleared from the keyring, thus accumulating and filling the limited key storage capacity. This may lead to the following error when running kinit:

kinit: Failed to store credentials: Disk quota exceeded while getting initial credentials

This can be solved by clearing the stored keys:

kdestroy -A
keyctl clear @u
keyctl clear @s

*Note: This also clears any other stored keys, so it may require logging in to other tools again.