Login problems?

Having problems connecting to a host on JASMIN? Details of how to login to JASMIN can be found here, but this article may help to diagnose login problems. It provides information for the following issues:

  • Unable to login to a login server e.g. login1.jasmin.ac.uk
  • Can login to login server but can't login to a subsequent server
  • ssh-add command gives error: "Could not open a connection to your authentication agent."
  • Errors when trying to connect with MobaXterm

Unable to login to login server

If you are unable to login to a login server e.g.  login1.jasmin.ac.uk then look carefully at any error messages displayed as this can help diagnose what is wrong:

1) "Connection reset by peer"

This suggests a problem with the configuration of your machine or local network. Connections to JASMIN login servers are allowed from a specific set list of network domains (the domain is the part after the host name e.g. myhost.mylocalnetwork.ac.uk). For this to happen, 2 things need to be in place:

  • the IP address of your machine needs to resolve to a full-qualified host name (so that it can be checked against the list)
  • the domain part of the hostname needs to be on JASMIN's allow list.

Use the tool provided on the JASMIN accounts portal to check that your IP address does indeed resolve:

Visit https://accounts.jasmin.ac.uk/services/reverse_dns_check/ with your browser, or do the following at the command line, on the machine from which you're tying to connect:

curl https://accounts.jasmin.ac.uk/services/reverse_dns_check

See check network details for further information on how to interpret the result from this.

Most institutional networks for UK universities and partner organisations are on our allow list, which is updated on request. However if you are trying to connect from your home broadband, then please be aware that this is not the the preferred route, for security reasons. If you connect from home, please be aware that:

  • The IP address which you are allocated by your internet service provider (ISP) may not resolve to a full hostname
  • That domain name is unlikely to be on the allow list.

One solution is to connect via your VPN to your institution first. This assigns you another IP address belonging to that institution, but you need to repeat the checks above to make sure that address resolves (not all do).

If all else fails, you can use the "contingency route" provide by login2.jasmin.ac.uk (see article for further details), but you will be limited in what you can do / connect to within JASMIN as a result. We prefer all users to connect from their institutional network.

2) "Permission denied"

Here, the most likely cause is that the SSH key which your client is presenting does not match the one in your JASMIN account. This can be for a number of reasons: 

  • You have omitted to specify the username in your SSH connection
    • In this case, you will be attempting to connect with the username you have on your local machine, which may not be the same.
  • You have only recently uploaded your SSH key (it can take 20 to 60 minutes before the key propagates to all the places it needs to on JASMIN). 
    • Try waiting a few minutes before trying again.
  • You don't have your key loaded in your local authentication agent (e.g. ssh-agent).
    • Check that you are following the method suitable for your operating system
      •   The article "How to login" has instructions for linux, mac and windows.
    • Note that connections using NoMachine NX don't require an authentication agent: this can be a good alternative if you're having problems.
  • You have not yet been granted jasmin-login access or your access has expired.
    • To check, go to List my services on the JASMIN accounts portal and check that "Login services: jasmin-login" is listed. If not then you either need to apply for jasmin-login access, or if you have already done this recently you may simply need to wait for it to be approved. Note that if you have applied for access to a group workspace you still need jasmin-login access in order to connect to jasmin machines.

Can login to login server but can't login to a subsequent host

Here, there are 3 main possibilities:

1) You have not set up agent forwarding correctly on your local machine.

This allows your ssh key to be used for logging in from jasmin-login1 to other machines. To check, run the following command on the login server:

$ echo "$SSH_AUTH_SOCK"

This should display something that looks similar to (but not identical to)  "/tmp/ssh-RNjiHr2844/agent.2844". If nothing is displayed then it indicates that agent forwarding is not working. Please read how to login and make sure you are running ssh-agent (or similar), have loaded your private key and are using the -A option on your ssh command for the connection to jasmin-login1. NX users should make sure that the "agent forwarding" option is ticked when setting up a connection profile.

2) Some hosts within JASMIN are restricted to particular (groups of) users.

The "sci" servers (e.g. sci1.jasmin.ac.uk) and "xfer" machines (e.g. xfer1.jasmin.ac.uk) should be available to all with jasmin-login access (see above). However, some other machines are restricted to particular project participants and require special permission to use. For example, the high-performance transfer server hpxfer1.jasmin.ac.uk requires the the hpxfer access role, which can be applied for at the JASMIN accounts portal, as can most roles currently in use.

3) There is a problem with the host you are trying to connect to.

Occasionally there may be problems with the host (machine) which you are trying to connect to. The sci servers (particularly the high-memory host jasmin-sci3) experience very high usage loads and occasionally run out of resources. This may prevent you from logging in. In some circumstances ask you for a password: this is normally a sign that something is wrong with the machine, since passwords are not used for host logins on JASMIN, so there is no point in trying to enter your account password or SSH passphrase at this point. In this case please contact us using the help beacon below.

If you still have problems then please contact us using the help beacon below. It would be helpful if you can include as much of the following information as possible:

  • The IP address and full hostname of the machine you are trying to connect from.
  • The date and time that you tried connecting (to the nearest minute if possible). This will help us to identify any relevant messages in any log files.
  • The exact command you were using
  • Add "-vvv" to your SSH command and send us the the output (please include the SSH command itself)
  • List the SSH keys directory on your local machine. On a linux machine this can be done with the command: "ls -l ~/.ssh"

ssh-add command gives error: "Could not open a connection to your authentication agent."

On some terminal sessions the usual instructions for starting the ssh-agent session and adding the key may give the following error:

$ ssh-add ~/.ssh/id_rsa_jasmin
Could not open a connection to your authentication agent.

If you get this error please try either: 

modifying the method you use to start the ssh-agent, to:

eval $(ssh-agent -s)

or see below if using MobaXterm which now has a better way of loading the SSH key.

Errors when connecting with Mobaxterm

Please follow the instructions for MobaXterm (which include a screen video to show how to load your key into MobAgent).

These instructions have changed with more recent versions of MobaXterm, and replace the need to use the ssh-add command, so please make sure that both the version you are using, and your method, are up to date!

Please note that even if your initial connection to (for example) your university host does not require your JASMIN SSH key, you should still load the key AND enable agent forwarding, for your initial connection to that host, so that the key can be used for the subsequent connection to the JASMIN login host. This actually applies to any connection method, not just MobaXterm.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.