How to Connect to the LPC Cluster

(I just copied this from the CMS website. I'm archiving it here so I don't have to find the page every time I configure a PC to be able to connect to the LPC cluster.)

Connecting to the LPC from a Linux or Mac OSX PC

To connect to the LPC cluster you need to have kerberos and openssh with gss support installed on your system. This is already included in Scientific Linux 4 Mac OSX. In addtion you will need get the krb5.conf file for Fermilab and save it as /etc/krb5.conf .
Also make the following edit to /etc/ssh/ssh_config or ~/.ssh/config on your local machine:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

To connect to the LPC cluster:
Get an addressless and forwardable kerberos ticket for the FNAL.GOV kerberos realm:
/usr/krb5/bin/kinit -n -f user@FNAL.GOV
/usr/kerberos/bin/kinit -A -f user@FNAL.GOV
You will be prompted for your kerberos password in the FNAL.GOV realm.
To verify that you have an addressless and forwardable kerberos ticket:
klist -a -f
Connect to the cluster:


1) To log into the cluster from an SLC machine kinit -A -f user@FNAL.GOV ; ssh -2
2) MAC users who have updated their ssh to a version greater than 3.8 will need to use both the -X and -Y options on the ssh command line:
ssh -X -Y cmslpc
This will enable X11 forwarding.
The versions of ssh that do not work with the round robin queue are the ones that do not support gssapi or do not handle the redirection correctly and break afs authentication. The ones known not to work correctly are:
  • OpenSSH with gssapi support in SL3 breaks afs authentication
  • WRQ Reflection X ssh client (based on OpenSSH 3.6.2 with gssapi) breaks afs authentication
  • Any Fermi OpenSSH before 3.5p1f12 breaks afs authentication.
For these versions the LPC cluster direct access nodes must be used if you would like to access your afs area to edit your public_html directory.
LPC cluster direct access nodes.
Other versions of ssh for Linux or Windows PC's may not work correctly (i.e. AFS authentication error messages at login) with the round robin queue. If accessing the LPC cluster through the queue produces error messages, you can try accessing the LPC cluster through one of the following direct access nodes:
  • ssh (SL4)
  • ssh (SL4)
The direct access nodes are equivalent to other LPC cluster nodes except that they can be accessed directly.
Non-kerberized ssh clients
Any ssh client without kerberos authentication can be used to connect to the LPC cluster. A Cryptocard is used to generate a password in this case.

Connecting to the LPC Cluster from a Windows PC

Connecting to the LPC cluster through the round-robin queue from a Windows PC is known to work with Kerberized PuTTY. Other terminal programs such as WRQ Relection ssh and openssh for Cygwin only work with the direct access nodes (see above). Directions are given below for establishing a connection to the LPC cluster with Kerberized PuTTY. Directions for installing Cygwin/X or Xming, both free X servers for Windows, are also given. These packages are optional since commercial alternatives such as WRQ Reflection and Exceed exist. Also included are directions for using WinSCP and OpenAFS for Windows to access files in your account.

Kerberos and SSH:

A patched version of PuTTY which supports Kerberos authentication for SSH on Windows can be found at Download the MSI installer to your desktop and run it. Putty will be installed in c:/Program Files/Putty. You will also need to download and install MIT Kerberos for Windows. The installer can be found at the MIT Kerberos download page.
To get your Kerberos ticket:
Select Start ->All Programs->Kerberos for Windows->Network Identity Manager
Enter your Kerberos principal, password and FNAL.GOV for the realm and click Login.
To connect to the LPC cluster for the first time with PuTTY:
Double click on the PuTTY icon in the directory where you unzipped the zip file.
In the PuTTY configuration window:
select Session and enter in the HostName field
select Connection->Data and enter your username in the Auto-login username field
select Connection->SSH and select "2 only" for "Preferred SSH protocol version"
select Connection->SSH->X11 and check "Enable X11 forwarding"
select Session and enter LPC in the Saved Sessions field and click Save
double click on LPC in the Saved Sessions list
To connect to the LPC cluster with PuTTY:
Double click the PuTTY icon.
In the PuTTY configuration window:
select Session and double click on LPC in the Saved Sessions list

Kerberos and SFTP:

A version of WinSCP which supports Kerberos authentication for SFTP on Windows can be downloaded from Be sure to download version 4.0.7 as this is compatible with the Putty mentioned above. Use this program to transfer files to and from the LPC cluster. Because the afs authentication does not work correctly, you can only read from your home directory on afs with WinSCP. However, you can read and write from /uscms/home and /uscms_data/d1 with WinSCP.

X servers:

Cygwin/X and Xming are implementations of X11 on the Windows platform. With X11 forwarding enabled in PuTTY and an X server running, programs like Root and emacs can be displayed on the Windows desktop.
To install Cygwin/X follow the download and installation directions from the user's guide.
After installing Cygwin/X copy c:\cygwin\X11R6\bin\startxwin.bat to the desktop. Edit startxwin.bat and remove the line
run xterm -e /usr/bin/bash -l
To start the Xserver double click on startxwin.bat.


Files from your afs home area can be accessed through AFS. The OpenAFS client for Windows allows users to access their files in AFS.
The OpenAFS client for Windows can be downloaded from here.
During the installation enter as the AFS cell. After installation is complete you will be required to reboot to activate the OpenAFS client. After rebooting the OpenAFS client will prompt you to enter your AFS username and password to obtain an AFS ticket. This prompt can be canceled since the AFS ticket can be obtained using aklog.
To get your AFS ticket:
Obtain your Kerberos ticket as described above.
To access AFS files:
Select Start ->All Programs->OpenAFS->Authetication or the padlock icon in the system tray.
In the AFS client window select Drive Letters and click on Add.
Enter the path in AFS that you want to access.
Select Start->My Computer and double click on the newly created drive letter.



PISIKA Copyright © 2009