How to login
How to login to JASMIN
The instructions below cover the process of logging in using a terminal client only. For a graphical linux desktop, please see alternative instructions using NoMachine NX.
In order to log in using SSH, you need to present your SSH private key as your credential (instead of a username and password). Your private key should reside only on your local machine, so this process of loading your key is something that you do on that local machine. Even if you connect via a departmental server, there should be no need to upload your private key to that machine: the process of loading your key and enabling agent forwarding should ensure that the key is available to subsequent host(s) in the chain of SSH “hops”.
The details of how to do this can vary depending on whether your local machine runs Windows, macOS or Linux.
Whichever system you’re using, you will need to use an appropriate tool to load your private key so that it can be presented at the time of logging in.
Linux and macOS users: ssh-agent
can be used (see instructions below).
Windows users: we recommend the MobAgent utility within MobaXterm. MobaXterm is a Linux terminal emulator for Windows.
ssh-agent
is a utility that stores private keys and makes them available to
other software that use the SSH protocol to connect to remote clients.
There are two stages to loading your private key into ssh-agent
: starting
the agent and then loading your private key. Use the following commands to do
this:
IMPORTANT: The box below is an example of what your command line prompt might look like.
The username and computer name on the left indicates which machine you are currently on. Everything to the right of the dollar symbol ‘$’ is the command which you are entering into the terminal.
You don’t need to type the ‘$’ or anything before it!
The rest of the documentation will use this format to show whether you should
run the command on your local machine (user@localhost
) or on JASMIN (user@sci1
).
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa_jasmin
Enter passphrase for /home/users/jpax/.ssh/id_rsa_jasmin:
Identity added: /home/users/jpax/.ssh/id_rsa_jasmin (/home/users/jpax/.ssh/id_rsa_jasmin)
When you run the ssh-add
command you will be prompted to enter the
passphrase that you specified when generating your SSH key pair. (If you use
the c shell, replace the command eval $(ssh-agent -s)
with exec ssh-agent $SHELL
)
You can test whether your key has been loaded by using the “-l” option to list the currently loaded keys in your agent:
ssh-add -l
2048 SHA256:iqX3NkPCpschVdqPxVde/ujap2cM0mYaAYYedzBGPaI /Users/jpax/.ssh/id_rsa_jasmin (RSA)
This confirms that the key in id_rsa_jasmin
has been loaded and is ready for
use.
Notes:
ssh-agent
session should persist until killed or until system shutdown, even if you close the terminal in which you set it up.Mac users (OS X Leopard onwards) can optionally benefit from linking the SSH
key to Keychain, which securely stores the passphrase as well. This means that
even after a reboot, your SSH key is always available in any terminal session
automatically. You can do this by running ssh-add
with --apple-use-keychain
:
ssh-add ~/.ssh/id_rsa_jasmin --apple-use-keychain
And then by adding the corresponding command with --apple-load-keychain
to your .zshrc
file so
that it loads it for every new terminal session:
echo "ssh-add --apple-load-keychain" >> ~/.zshrc
See this article for a description and listing of the login servers.
Assuming that you have loaded your SSH private key using one of the methods described above, then you can login to a login server as follows (do this on your own/local machine):
ssh -A <user_id>@<login_server>
For example, user “jpax” might login to the JASMIN login server with:
ssh -A jpax@login1.jasmin.ac.uk
The -A
argument is important because it enables “agent-forwarding”.
This means that your the information about your SSH private key is forwarded
to your remote session on the login server so that you can use it for further
SSH connections. (Windows users can
enable X-forwarding in
MobaXterm
saved
sessions).
When you first login you will see a message that provides some useful information (see Figure 1).
Some applications involve displaying graphical output from an application or user interface running on a remote server,
typically to display or interact with data graphically. You can instruct
your SSH connection to enable forwarding of X-server capability by adding the
-X
argument to the ssh
command, as follows:
ssh -X <user>@<hostname>
Note that the -X
argument can be used in conjunction with the agent-forwarding
-A
argument. In some cases the -Y
option may be needed instead of
-X
.
Please note that this arrangement sends your graphical output back to your desktop machine over the network, so should only be used within JASMIN, not to your local desktop machine. A solution has been put in place for a graphical linux desktop environment within JASMIN using NoMachine NX, removing the need to send X11 graphics over the wide-area network. You are strongly advised to use NX for any situation which involves graphical output on JASMIN. Using X11 graphics over the wide-area network outside of JASMIN is not supported: you will not get good performance and this makes inefficient use of shared resources which can impair performance for other users. Please use NX instead. Of course, you may still need to use X11 graphics to send graphical output back to your JASMIN-side graphical desktop within JASMIN, but this is OK as it is all within the JASMIN network.
Having been through all the steps and logged in to JASMIN (well done!) you
will be keen to do some real work. You could try the
general purpose
scientific analysis servers to get started. Use
the list presented on the login screen to select a sci
server which is not
under heavy usage.
For example, from the JASMIN login server, you might choose to login to
sci1
:
ssh <user>@sci1.jasmin.ac.uk
If you are asked for a password when trying to login to this second machine,
it indicates that your ssh key is not being forwarded. Please check that you
have used the -A
option in your initial connection to the login server, or
set up agent forwarding permanently in your SSH client configuration on your
local machine.
There is no point in trying to enter a password (or even the passphrase associated with your key) as only an ssh key presented in the way described above is accepted.
Note that once you are logged into a login server then you can omit the
<user_id>@
prefix before the server name for the onward connection, since
your username will be the same on both systems. But there is no harm in
including it anyway, to ensure that you connect as the correct user. As shown
above, the -A
option is not needed for the onward connection, although there
is no harm in including it.
Remember to log out of the login server in addition to the sci server when you have finished your work, to get back to your own (local) machine:
exit
logout
Connection to sci1.jasmin.ac.uk closed.
exit
logout
Connection to login1.jasmin.ac.uk closed.
# back on your own/local machine now