NOAA-RDHPCS · elisabethpatterson · Sep 30, 2025 · Oct 2, 2025
@@ -39,6 +39,7 @@ brotlipy
 bucketname
 byacc
 cactest
+caja
 calnexfc
 CATN
 CBHN
@@ -101,6 +102,7 @@ Diskspace
 dispositioned
 dispositioning
 dlaps
+DMATE
 dmget
 dmgets
 dmgt
@@ -132,6 +134,7 @@ FFTW
 fgedebug
 fgewf
 fgews
+figwidth
 FILESYS
 fillin
 Finity
@@ -173,9 +176,13 @@ glrcm
 gmeta
 gmtb
 gnmip
+goagent
+gocleansessions
+goclient
 Godlove
 godlovedc
 gomtrans
+goruncommand
 gpfs
 gpshwrf
 gptl
@@ -265,6 +272,7 @@ keybinds
 keyctl
 keyex
 keygen
+killallsessions
 kjet
 lahey
 LAPACK
@@ -410,10 +418,12 @@ nodename
 noder
 nodocs
 nofma
+nolisten
 nompi
 NOPASSWD
 Normshares
 noslurm
+nosnd
 nosofs
 nranks
 NRBRNG
@@ -455,6 +465,7 @@ Paraver
 pathnames
 PBPRNG
 pcluster
+pdsh
 perftools
 peta
 petaflops
@@ -558,6 +569,7 @@ SSLVPN
 stacksize
 Stmp
 strmtrck
+subshell
 superchip
 suspendtime
 swpc
@@ -623,10 +635,12 @@ webform
 wgrib
 wmem
 wrfsatda
+Xauthority
 Xclients
 xclock
 xclocks
 Xfer
+XFIXES
 xhpl
 xinitrc
 xjet

@@ -19,7 +19,7 @@ All connections to the NOAA RDHPCS enclave are done via Secure Shell
    the :ref:`MSU-HPC <MSU-HPC-user-guide>` user guide.
 
 Authentication is via a :ref:`CAC/PIV card<common-access>` or
-:ref:`RSA SecurID token<rsa_instructions>`.
+YubiKey Multi-Factor Authentication.
 
 Internal to the enclave, `X509 certificates
 <https://en.wikipedia.org/wiki/X.509>`__ are used to authenticate
@@ -175,24 +175,6 @@ configure Tectia initially for login using SSH with your CAC.
 #. When prompted, enter your CAC PIN.
 
 
-.. _rsa_instructions:
-
-RSA SSH Login
-=============
-
-RDHPCS users who do not have a CAC, or lack the required hardware or
-software, are welcome to use an RSA login.
-
-.. code-block:: console
-
-    $ ssh RSA-BASTION-HOSTNAME
-
-
-#. Reference the table above for the appropriate RSA Bastion to use.
-#. When prompted, enter your PASSCODE which consists of your
-   PIN+RSA_CODE.  The RSA_CODE is the 6-8 digit code from the RSA fob or
-   RSA app.
-
 
 Selecting a Node
 ================

@@ -211,9 +211,7 @@ exceptions are noted.
 
 Only the High-Performance Filesystems (the scratch filesystems) are
 available, not your /home filesystem. When you are asked for a
-password, provide your RSA Token's PIN + current 6 or 8 digit number
-from your token (a.k.a Passcode).
-
+password, authenticate to the system using YubiKey MFA.
 All RDHPCS systems require an initial login before you can
 access your directories from the DTNs/uDTNs.  This is
 because the directory structure gets set up only on
@@ -238,7 +236,8 @@ firewalls. See :ref:`firewall-modifications` for directions.
 
 DTNs support ssh-based authentication transfer methods, which
 currently include scp, rsync, and sftp. Default
-authentication uses your RSA token.
+authentication uses your NOAA name and password, and YubiKey Multi-Factor
+Authentication.
 
 .. note::
     If you're using WinSCP on Windows, choose SFTP as the protocol rather than SCP.

@@ -590,19 +590,19 @@ Testing Port Tunnels
 Once you have set up port tunneling, it's useful test that the tunnel
 has been established correctly.
 
-To do this, after the port tunnel has been established, try to login
-using the local host and port combination. Please keep in mind you
-will have to use your RSA authentication for this test. You should try
-to connect using the following settings with your ssh client (with
-Windows you could use a client like putty, and with linux/Mac you
-should use ssh):
+To do this, after the port tunnel has been established, try to login using the
+local host and port combination. Please keep in mind you will have to use
+YubiKey Multi-Factor authentication for this test. You should try to connect
+using the following settings with your ssh client (with Windows you could use a
+client like putty, and with linux/Mac you should use ssh):
 
 * Host: localhost (This is literal string, that is, enter the word
   "localhost")
 * Port: Your-assigned-local-port-on-hera-jet (This is the number
   listed as Local Port when you login)
 * User: Your user name
 
-When prompted, enter your PIN + RSA Token as the password. If you're
+When prompted, enter your User Name and Password, and authenticate
+with YubiKey. If you're
 able to login successfully and see your home directory, that confirms
 that your port tunneling is correct.
@@ -65,7 +65,7 @@ Open the `X2Go client` (you can use the desktop icon or use run the
 If you do not have any configured X2Go sessions, the X2Go client will open the
 new session dialog window automatically.
 
-Set the following conferation items, then click :guilabel:`OK`.
+Set the following configuration items, then click :guilabel:`OK`.
 
 :Session name: Name the session configuration something that has meaning to
     you, for example the system name (Gaea, Hera, etc.)
@@ -96,7 +96,8 @@ Open an :ref:`SSH connection <ssh_access>` that will establish the :ref:`SSH
 local forward <ssh-port-tunnels>` to the RDHPCS host.  Once the SSH connection
 is established, open the X2Go client and double click the session in the list
 in the right side bar. When the authentication dialog box appears, ensure your
-user name is correct and enter your :ref:`RSA passcode <rsa_instructions>`.
+user name is correct and enter your username and password, then authenticate
+using YubiKey.
 
 .. image:: /images/x2go_password.png
     :scale: 30%
@@ -122,7 +123,7 @@ X2Go Tips
 ---------
 
 Some users have found that ensuring that only one connection, the first
-connection that estabilshes the SSH port forwards, when starting an X2Go
+connection that establishes the SSH port forwards, when starting an X2Go
 session allows for the best chance of allowing X2Go to launch the desktop
 session.  After the X2Go session is active, you can open additional SSH
 sessions as you desire.
@@ -220,7 +221,7 @@ try the following.
 .. topic:: Bind address already in use
 
     If you get the message ``bind: Address already in use`` on your initial
-    login, this typically indicates wilyou have more than one system session
+    login, this typically indicates that you have more than one system session
     open.  For example, you have multiple Hera sessions open.  Please close all
     sessions and open one new session with your configured port tunnel.
 
@@ -266,8 +267,8 @@ try the following.
          pdsh@hfe03: hfe01: ssh exited with exit code 1
          pdsh@hfe03: hfe03: ssh exited with exit code 1
          pdsh@hfe03: hfe10: ssh exited with exit code 1
-         hfe08:  93232 First.Last         /usr/lib64/nx/../x2/x2goagent -extension XFIXES -nolisten tcp -nolisten tcp -dpi 120 -D -auth /home/Raghu.Reddy/.Xauthority -geometry 800x600 -name X2GO-Raghu.Reddy-56-1511972370_stDMATE_dp32 :56
-         hfe08:  93345 First.Last         /bin/bash /usr/bin/x2goruncommand 56 93232 Raghu.Reddy-56-1511972370_stDMATE_dp32 37673 mate-session nosnd D
+         hfe08:  93232 First.Last         /usr/lib64/nx/../x2/x2goagent -extension XFIXES -nolisten tcp -nolisten tcp -dpi 120 -D -auth /home/First.Last/.Xauthority -geometry 800x600 -name X2GO-First.Last-56-1511972370_stDMATE_dp32 :56
+         hfe08:  93345 First.Last         /bin/bash /usr/bin/x2goruncommand 56 93232 First.Last-56-1511972370_stDMATE_dp32 37673 mate-session nosnd D
          pdsh@hfe03: hfe07: ssh exited with exit code 1
          pdsh@hfe03: hfe06: ssh exited with exit code 1
          pdsh@hfe03: hfe04: ssh exited with exit code 1

@@ -38,7 +38,7 @@ This diagram illustrates the typical process for using Cloud resources.
         :scale: 50%
 
       Your username is your RDHPCS NOAA username.
-      Your password is your RSA PIN plus the 8 digit code from your RSA token.
+      Your password is your NOAA password, with YubiKey MFA.
       When you are logged in, click **Compute**.
 
       .. figure:: /images/cgateway.png
@@ -120,7 +120,8 @@ Parallel Works
 * In addition, there is an archive of Parallel Works `Training Sessions
   <https://sites.google.com/d/1QJ-MHpl1y0IEtzQUnIbjF2hUmMNQUMAo/p/1G8V0Mua9Dy7oUJ_wI36NAd3kMuMcHyGM/edit>`_.
 * To use the ACTIVATE platform, you must have a NOAA user account and password,
-  and a valid :ref:`RSA Token <rsa_instructions>`.
+  and a working YubiKey token.
+  and a working YubiKey token.
 * You can use Parallel Works to access Cloud clusters (assuming you have a
   project allocation on the Cloud platform) or on-prem systems. See
   :ref:`project_request` if you need access to a Cloud project.
@@ -129,8 +130,12 @@ Using ACTIVATE
 --------------
 
 Users access the ACTIVATE platform through the Parallel Works NOAA Portal,
-using the RSA Token authentication method.  On the landing page, enter your
+using the YubiKey authentication method.  On the landing page, enter your
 NOAA user name, and your PIN and SecurID OTP.
+using the YubiKey authentication method.  On the landing page, enter your
+NOAA user name, and your PIN and SecurID OTP.
+
+
 
 Add a workflow to my account
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -720,11 +725,6 @@ login fails, log into the `<account URL
 <https://sso.rdhpcs.noaa.gov/realms/NOAA-RDHPCS/account/>`_ to check
 whether “single sign on” is working.
 
-If you are still experiencing issues with your token, open a
-:ref:`help request <getting_help>` with the title *Please check RSA
-token status.* To expedite troubleshooting, please include the full
-terminal output you received when you tried to use your token and the
-information that you have attempted the “single sign on” login test.
 
 If you continue to experience connection issues, open a :ref:`help
 request <getting_help>`.
@@ -861,56 +861,7 @@ it to your project space and create a symlink as shown below:
   mkdir -p /a/directory/in/your/project/space/pw
   ln -s /a/directory/in/your/project/space/pw $HOME/pw
 
-Authentication Issues
----------------------
-
-Authentication to the PW system can fail for a number of
-reasons.
-
-.. note::
-
-  Remember that userIDs are case sensitive. Most are First.Last, with the first
-  letter capitalized. Use the correct format, or your login will fail.
-
-.. note::
-
-  If you enter an incorrect username or PIN and token value three times during
-  a login attempt, your account will automatically lock for fifteen minutes.
-  This is a fairly common occurrence.
-
-To resync your token:
-
-1. Use ssh to login to one of the hosts such as one of Hera/Niagara/Jet, using
-   your RSA Token. After the host authenticates once, it will ask you wait for
-   the token to change.
-2. Enter your PIN + RSA token again after the token has changed. After a
-   successful login your token will be re-synched and you should be able
-   to proceed.
 
-.. note::
-
-  If you still have issues with your token, open a help
-  request with the subject **Please check RSA token status**. To expedite
-  troubleshooting, include the full terminal output you received when you
-  tried to use your token.
-
-If the RSA token is working and you still cannot login to the PW system, check
-whether your workstation is behind a firewall that is blocking access.
-If you are connected to a VPN, disconnect the VPN and try again. You may also
-experience connection failure if you are trying to access from outside the
-United States. If you continue to experience connection issues, open a help
-request.
-
-.. note::
-
-  Occasionally, a valid user login attempt will receive an
-  **Invalid name or password** error. This can happen when a user token is out of
-  sync with the SSO system. Try logging in to an on-prem HPC system like Niagara
-  or Hera. If the login fails, log into the account URL to check whether “single
-  sign on” is working. If your login still fails, open a cloud help desk case.
-  Send email to rdhpcs.cloud.help@noaa.gov, with Login Error in the Subject. In
-  the case, include the information that you have attempted the “single sign on”
-  login test.
 
 Failed to authenticate agent on remote host for on-prem HPC system login
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -3665,23 +3616,6 @@ What are the Cloud regions supported by Parallel Works?
 :Azure: EastUS and SouthCentralUS. Preferred region is EastUS.
 :GCP: regions are us-central1, and us-east-1. Preferred region is us-central1
 
-How to tunnel back from a compute node to the controller/head node?
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-A case where the users have added their keys to the account
-and can login to the head node and run jobs. However, when
-they start a job on compute node and then try to tunnel back
-to the head node it fails.
-
-Users on the cluster can create an ssh key on the cluster
-that will allow access back to the head node from compute.
-If you want to use a different key name that would work, but
-you might need to configure the ssh client to look for it.
-This works.
-
-.. code-block:: shell
-
-  ssh-keygen -t rsa -f ~/.ssh/id_rsa -N * && cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys*
 
 On Azure, missing /apps fs system or modules not loaded
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^