University of California

One-Time Password Service

The ShaRCS uses One-Time Password (OTP) authentication for password generation to permit access to the clusters. This is the only method of authentication supported by ShaRCS, and must be used for all login authentication. To obtain an OTP device, you must belong to a project currently supported by ShaRCS. You will be given an OTP device either directly by your PI, or your PI will authorize you to receive one through a courier service from ShaRCS administration.

Generating One Time Passwords Using Hardware (Physical) Devices

You need two pieces of information from ShaRCS to use your CRYPTOCard to log in: your username and your initial CRYPTOCard PIN. You should have received both of these with your CRYPTOCard.

Press the "PASSWORD" button to power on the CRYPTOCard. You will see "PIN?" request prompt. Enter your PIN, and press the "ENT" key. You should see 7 digits presented like a phone number; this is your one-time password. You can only use it once, and if eavesdroppers intercept it, it cannot be used again to gain access to your account.

Connecting to the ShaRCS cluster

To connect to your cluster account, use:

ssh <username>@<login_nodename>

On Mako

$ ssh someuser@mako.berkeley.edu

Type in your one-time password as it appears on your CRYPTOCard screen (the dash is optional), and press Enter. You are now logged into one of the login nodes of the ShaRCS cluster.

$ Password:

Last login: Fri Apr  2 11:25:16 2010 from 128.3.11.107
-------------------------------------------------------------------------------
N O T I C E   T O    U S E R S ...

On Thresher:

$ ssh someuser@thresher.sdsc.edu

Type in your one-time password as it appears on your CRYPTOCard screen (the dash is optional), and press Enter. You are now logged into one of the login nodes of the ShaRCS cluster.

$ Password:

Last login: Thu Mar 25 17:43:44 2010 from outbound.mako.berkeley.edu
Thresher ShaRCS Login Node
Rocks 5.3 (Rolled Tacos)
Profile built 17:01 26-Jan-2010

Kickstarted 17:12 26-Jan-2010
[someuser@tmgt-10-0 ~]$

A variety of useful packages are stored in the environment modules system which you can access using the module command. This will show you a list of what is available:

$ module avail

This will show you what modules are currently in effect in your environment:

$ module list

More details about using the Modules package are available in the Modules Environment documentation on this site.

At this point, you may begin using the system.

CRYPTOCard Resynchronization Procedure

It is possible for a CRYPTOCard to become unsynchronized with the OTP server. This can cause your generated passwords to fail. Because the passwords are out of sequence, simply generating new ones will not clear up the problem. Instead, you must resynchronize the card with the server by performing these steps:

  • Press MENU on the card until you get the "PIN?" prompt
  • Input your PIN
  • Press ENT (Display says: "Contrast")
  • Press MENU on the card until you get the "ReSync" prompt
  • Press ENT

In your shell, issue the ssh command to a ShaRCS login node:

  • ssh <username>@<login_nodename>
  • The login node will display "Password:"
  • Press the Enter key
  • The login node will display a second response similar to: "Challenge: <nnnnnnn>:"
  • Enter the numeric sequence from the login node response into the CRYPTOCard
  • Press ENT on the CRYPTOCard

Your card should now be resynchronized with the OTP server. Try to login again. If this does not resolve the problem, contact .

OTP Documentation Resource

Complete instructions for installing and using the OTP service are available at the Berkeley Lab One Time Password guide. Please refer to that site for any details of the process that are not covered here.

Temporary Software Token Service (Future Availability)

A software token generator will be available for temporary and emergency use in the near future. This will allow you to login without the use of a physical device. The software token option will only be available for temporary use while users are awaiting the delivery of a new CRYPTOCard, or if a damaged or failed card must be replace. At this time, only the hardware token option is available.

When the software token option becomes available, we will provide detailed usage procedure documentation on this site. The software token option is scheduled to be activated within a couple of months after the Pilot Project begins full production in Spring 2010.