Logging In
On This Page
Setup
Ensure that you are enrolled in Penn’s Two-Step Verification System. If you are familiar with Duo for other Penn systems, you are likely already enrolled.
You *must* be on Penn’s campus or on the Penn GlobalProtect VPN
What do you need to login?
For the Betty supercomputer, we use a two-of-three factor authentication system to keep accounts secure while allowing flexibility for users. You must successfully complete any two of the following methods before you can log in:
- Kerberos (
kinit) – Uses your PennKey and password to verify your identity. - SSH key – Verifies you are logging in from a trusted device with a registered public/private key pair.
- Duo – Adds an extra layer of security with a mobile push notification, text message, or hardware token.
⚠️Security: Login Node Public Keys⚠️
The first time you login, you may receive a message similar to “Host key not found from list of known hosts. Are you sure you want to continue connecting?”. Below are the public keys that may be offered to you, and can be trusted:
| Fingerprint | BITS | Type |
|---|---|---|
| MD5:a7:ee:71:be:a3:cd:85:77:9e:31:a4:2f:04:42:9f:22 SHA256:talnzpFHiLmQR0xFrC8ZaPdQ9LxfDMb/iamK2pbBd7I | 256 | ED25519 |
| MD5:79:b8:22:95:be:15:95:89:7b:87:00:2f:61:bf:22:a1 SHA256:rFIuRhUoQP+YApM/qvY1D/EOmxccqGEcOX9rFcOiO6s | 256 | ECDSA |
| MD5:ea:e8:43:9e:2e:f0:87:6c:5c:ef:5f:92:52:9b:d8:3a SHA256:gQPU5K0JY7/0gTwEmQG9dCF+eCrfqqEXvbDzmVzJZ3c | 3072 | RSA |
If you are presented with something OTHER than one of these keys, PLEASE do not continue connecting, and CONTACT US as soon as possible so that we can investigate what’s going on. Under no circumstances enter your username and password if you haven’t received one of the fingerprints listed above.
Key Changes
If you see an error something like “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!”, verify that the new ‘fingerprint’ being presented is one listed above (most important!), and then you can remove the ‘offending key’ with:
ssh-keygen -f ~/.ssh/known_hosts -R login.betty.parcc.upenn.edu
Then you should be safe to try again.
Setting Up Your Clients
Find your OS and follow the instructions associated with each. Most SSH clients should work with the proper configurations.
All OpenSSH Clients (Linux/macOS/other UNIX/Windows PowerShell or Command Prompt/WSL)
SSH must be told to use GSSAPI authentication for Kerberos authentication to work. For your convenience, you may add the following text to your ~/.ssh/config file to always enable this option when connecting to PARCC systems. For more information about the SSH config file, see the man page ssh_config(5).
Host *.parcc.upenn.edu
#Enable DNS Host Key verification
VerifyHostKeyDNS yes
#Enable GSSAPI Authentication
GSSAPIAuthentication yesLinux
Install the required packages for Kerberos in your Linux environment. Other distributions than those listed below may use different package names.
- Debian and derivatives, including Ubuntu:
krb5-user - Fedora, RHEL, and RHEL derivatives (including Rocky and Alma):
krb5-workstation - OpenSUSE and SLES:
krb5-client
macOS
Your Kerberos packages are already installed, however macOS uses a customized version of Heimdal Kerberos, rather than MIT Kerberos, with different defaults depending on which version of macOS you are using. This can sometimes cause conflicts when another package manager, such as Conda or MacPorts, installs a version of MIT Kerberos whose tools are in your PATH ahead of the macOS default ones.
Ventura (13.x) and Earlier
On macOS Ventura and earlier, the system Heimdal Kerberos uses the Kerberos Credentials Manager (KCM:%{uid}) to store your ticket cache by default. Sufficiently recent versions of MIT Kerberos can be told to use this cache as well for interoperability. If you do not have administrator access on your Mac, you can simply set the KRB5CCNAME environment variable to KCM:<UID>, replacing <UID> with your local UID number. For example, in a Bourne compatible shell such as BASH or ZSH, you can run the following command BEFORE you run kinit:
export KRB5CCNAME="KCM:$(id -u)"For convenience, you can add that command to the appropriate initialization script for your shell. A more permanent fix, for which you may need to consult your LSP, would be to ensure that default_ccache_name is set to KCM:%{uid} in the [libdefaults] section of your /etc/krb5.conf file.
Sequoia (14.x) and Later
Starting with macOS Sequoia, Heimdal Kerberos is now configured to use an “API” cache by default. Recent versions of MIT Kerberos have been updated to support this credential cache but, similarly to above, must be configured to use it by default. Similarly to the above for Ventura and earlier, this can be controlled by setting the KRB5CCNAME environment variable or default_ccache_name parameter in the [libdefaults] section of /etc/krb5.conf to API:. For example, in a Bourne compatible shell such as BASH or ZSH (before running kinit):
export KRB5CCNAME="API:"Windows
A full tutorial on setting up Windows for SSH with PARCC. The abridged instructions for WSL can be seen below.
WSL (Windows Subsystem for Linux)
Please install WSL2 to install Ubuntu as a Windows native environment. WSL has kinit pre-installed. Please see the Microsoft instructions here.
Login
Grab a ticket from Kerberos to login. You will need to request a new ticket every 10 hours. Please follow the Duo prompts that follow. Please remember to use UPPERCASE UPENN.EDU – otherwise it will not work.
kinit <PennKey>@UPENN.EDU
ssh <PennKey>@login.betty.parcc.upenn.eduCongratulations! You should now be logged into Betty!
If you intend to use tmux or similar persistent sessions, please make note of which login node you actually got to. Here is a quick list of their hostnames.
login01.betty.parcc.upenn.edu
login02.betty.parcc.upenn.edu
login03.betty.parcc.upenn.edu✅✅✅ Tips
Conda environments on your local system must be deactivated before kinit can work.
conda deactivate
kinit <PennKey>@UPENN.EDU
ssh <PennKey>@login.betty.parcc.upenn.eduIf you are running into issues with kerberos:
- Kerberos debugging document
- Reach out to PARCC Support
SSH Key
To simplify your login experience we recommend setting up an ssh key to use. If you do not already have one, generate one from you local laptop or workstation with the below command. It is highly recommended to encrypt this key with a passphrase when prompted.
ssh-keygen -t ed25519Once this is generated, you can share it with Betty to use for your next login.
kinit <PennKey>@UPENN.EDU
ssh-copy-id <PennKey>@login.betty.parcc.upenn.eduSSH Multiplexing
Users can take advantage of multiplexing to avoid having to authenticate (entering userid and password) every time one opens an ssh session or use scp, one can sign in once and use the same connection to open new sessions on Betty.
On your local laptop/workstation add the following text to the Host *.parcc.upenn.edu block in your ~/.ssh/config file (see the base config above):
ControlMaster auto
ControlPath ~/.ssh/control:%h:%p:%rThen, start the main connection, for example:
ssh -fNM <PennKey>@login.betty.parcc.upenn.eduNow, in a new window, when you login to Betty, you will no longer need to provide another authentication:
ssh <PennKey>@login.betty.parcc.upenn.eduThe only downside is that simultaneously transferring large files and trying to work on a terminal through the same connection may cause lag in your terminal.