Connecting to MPCDF Systems

How do I log in to MPCDF machines?

All compute resources at the MPCDF run Linux. Access is provided exclusively via SSH with two-factor authentication (2FA).

To connect from the public internet, you must first log in to a gateway machine and then connect to your target system from there.

The standard command-line client for this is OpenSSH, which is available on Linux, macOS, and Windows. You can use the ssh command to connect, and tools like ssh-keygen and ssh-add to manage your SSH keys.

For convenience, you can create a configuration file at ~/.ssh/config to define host aliases and connection parameters. For more details, see our SSH configuration guide.

What are the SSH gateway machines?

The following gateway machines are available for SSH connections from the internet:

  • gate1.mpcdf.mpg.de

  • gate2.mpcdf.mpg.de

These machines provide a small home directory and are intended as jump hosts to the HPC systems.

Please note that the gateway machines are rebooted weekly, so user sessions are not persistent:

  • gate1: Tuesdays at 3:45 AM (German local time)

  • gate2: Saturdays at 3:45 AM (German local time)

For more details, including host key fingerprints, please see the gateway machines documentation.

How can I tunnel through the gateway machines?

You can configure an SSH tunnel to connect directly to a target machine through a gateway. The recommended method is ProxyJump (for OpenSSH 7.3 and newer). For older versions, you can use ProxyCommand.

Using the ProxyJump flag:

ssh -J YOUR_USERNAME@gate1.mpcdf.mpg.de YOUR_USERNAME@viper.mpcdf.mpg.de

Using your SSH config file:

You can simplify the connection by adding the following to your ~/.ssh/config file:

Host gate
    Hostname gate1.mpcdf.mpg.de
    User YOUR_USERNAME
    ServerAliveInterval 120

Host viper
    Hostname viper.mpcdf.mpg.de
    User YOUR_USERNAME
    ProxyJump gate

With this configuration, you can connect to Viper by simply running:

ssh viper

How can I avoid repeatedly typing my password?

You can use SSH’s ControlMaster feature to establish a connection once and reuse it for subsequent logins. This is particularly useful when combined with ProxyJump.

The ControlMaster feature is limited to 10 sessions by default.

Here is an example configuration for your ~/.ssh/config file that sets up ControlMaster for the gate and raven hosts:

Host gate
    Hostname gate.mpcdf.mpg.de
    User YOUR_USERNAME
    ServerAliveInterval 120
    ControlMaster auto
    ControlPersist 12h
    ControlPath ~/.ssh/master-%C

Host raven
    Hostname raven.mpcdf.mpg.de # or a specific login node like raven02i.mpcdf.mpg.de
    User YOUR_USERNAME
    ControlMaster auto
    ControlPersist 12h
    ControlPath ~/.ssh/master-%C
    # For OpenSSH 7.3 and newer:
    ProxyJump gate
    # For older OpenSSH versions:
    # ProxyCommand ssh -W %h:%p gate

After adding this to your configuration, you can connect to Raven with:

ssh raven

You will only need to enter your password and OTP once. Subsequent connections, including scp and rsync, will reuse the existing connection.

This configuration works on Linux and macOS. For Windows, you can use PuTTY’s “Share SSH connections if possible” feature to achieve a similar result.

How can I connect to HPC systems with Visual Studio Code (VSCode)?

You can connect to our HPC systems using VSCode with the Remote - SSH extension.

To avoid authentication issues and resource limits, we recommend the following configuration:

  1. Set up ControlMaster: Configure an SSH ControlMaster as described above. We recommend connecting to a specific login node (e.g., raven03i or viper03i) rather than the generic hostname.

  2. Install the extension: Install the Remote-SSH extension from the VSCode Marketplace.

  3. Configure VSCode settings: In VSCode, open the settings and disable remote.SSH.useLocalServer and remote.SSH.useExecServer.

  4. Connect: Restart VSCode and connect to your target login node.

Please note that due to the wide variety of user configurations, we cannot provide support for VSCode beyond these instructions.

How do I connect from a Windows machine?

The ProxyJump configuration described above is compatible with the VSCode Remote-SSH extension and the OpenSSH client in PowerShell. However, ControlMaster is not supported on Windows.

For detailed instructions on using PuTTY and WinSCP, please see our step-by-step guides:

What if my connection fails with “Corrupted MAC on input”?

This error can occur on Windows with native OpenSSH clients due to stricter encryption algorithms on our gateway systems. To resolve this, you can specify a different MAC (Message Authentication Code) algorithm.

On the command line:

ssh -m hmac-sha2-256-etm@openssh.com YOUR_USERNAME@gate1.mpcdf.mpg.de

In your ~/.ssh/config file:

Host gate
    Hostname gate1.mpcdf.mpg.de
    User YOUR_USERNAME
    MACs hmac-sha2-256-etm@openssh.com

Is two-factor authentication (2FA) required?

Yes, 2FA is mandatory for all connections. For more information, please see the 2FA FAQ.

Are SSH keys supported for login?

No, SSH key-based login is not supported on the gateway machines or any of the HPC systems.

How can I improve ssh/scp/sftp performance?

To improve single-stream performance for ssh, scp, and sftp, you can use the aes128-ctr cipher.

On the command line:

ssh -c aes128-ctr YOUR_USERNAME@gate1.mpcdf.mpg.de

In your ~/.ssh/config file:

Host gate
    Hostname gate1.mpcdf.mpg.de
    User YOUR_USERNAME
    Ciphers aes128-ctr

What should I do if I see an SSH host key warning?

If you receive a host key warning, it may be due to a recent maintenance operation. We announce host key changes via email and on this documentation page. You can verify the current host keys in the gateway machines documentation.

If you are unsure, please contact the MPCDF helpdesk for assistance.

How can I run GUI applications on MPCDF systems?

You can run applications with graphical user interfaces (GUIs) on our systems using one of the following methods.

X11 Forwarding

You can forward X11 displays to your local machine via SSH.

To connect with X11 forwarding:

ssh -C -Y YOUR_USERNAME@gate1.mpcdf.mpg.de

Or, add the following to your ~/.ssh/config file:

Host gate
    Hostname gate1.mpcdf.mpg.de
    User YOUR_USERNAME
    Compression yes
    ForwardX11 yes
    ForwardX11Trusted yes

The -C flag enables compression, which can improve performance. While most Linux systems have a built-in X server, macOS and Windows users will need to install one, such as XQuartz (for macOS) or Xming (for Windows).

For graphically intensive applications, we recommend using VNC.

VNC

You can run a persistent VNC server on the login nodes of the HPC systems. This allows you to run GUI applications without X11 forwarding. Alternatively, you can use our web-based remote visualization service to launch VNC sessions on dedicated resources (with a time limit).

Remote Visualization Service

For applications that require hardware-accelerated OpenGL rendering, our web-based remote visualization service provides access to GPUs on select HPC systems.