ssh-fingerprints/hashes of the public-keys for our login-nodes (all host-keys got exchanged in the service window 26/27 of July 2020)


This page is easily locatable with the keyword “fingerprint” on our homepage. Please always check when connecting the first time to our GBAR/HPC-setup that the fingerprints on this homepage are matching with the ones your ssh-client is asking you to confirm. Each server has a unique fingerprint. Also keep in mind that “different names” might cause trouble.

(login.hpc.dtu.dk and login1.hpc.dtu.dk are pointing to the same machine, but have “different hostnames”, which create different entries in your local ~/.ssh/known_hosts file.)

Valid fingerprints after the 26/07/2020 service window:
4096 SHA256:YUSTE2mAA8ObrzhJlEZaVFXdUOP+ax8Ax8e9ObjlDOY thinlinc.gbar.dtu.dk (RSA)
256 SHA256:dgbs90pstBovEJm8kXWkYTmeJNqNWTNheOEPEvZCBCI thinlinc.gbar.dtu.dk (ED25519)
4096 MD5:dc:a6:71:56:e9:b0:0f:31:1f:11:dc:ff:e7:77:81:7b thinlinc.gbar.dtu.dk (RSA)
256 MD5:fe:f3:70:30:a9:f2:f3:e2:c5:7a:cc:b2:8a:5f:31:3c thinlinc.gbar.dtu.dk (ED25519) 4096 SHA256:yPlWh07d1a6YtUNPJRT0NdxYDUXD56ZBMJiS3h/tQmI login.hpc.dtu.dk / login1.hpc.dtu.dk (RSA) 256 SHA256:vfc+kYH+/Vjgk9Ifq1ZsxPm2bOFfC/Z535T7sMSO1ps login.hpc.dtu.dk / login1.hpc.dtu.dk (ED25519) 4096 SHA256:5vnARbg5huPjAKBPxxj779UYp/1312WIEcCOcY6zki4 login2.hpc.dtu.dk (RSA) 256 SHA256:c3YBugAWV8dhOfi07R+kmtk+RRd50tZ5tjm0wFjJmtQ login2.hpc.dtu.dk (ED25519) 4096 SHA256:Tdu8DxECjRCKKGCFaNdUo31/ys62td9YIDkertWQkZU login.gbar.dtu.dk / login1.gbar.dtu.dk (RSA) 256 SHA256:rVEL/26JE4fF0C9U/yZaVc9uXJCf7c5xlErG8hotjgU login.gbar.dtu.dk / login1.gbar.dtu.dk (ED25519) 4096 SHA256:3vb5eJYHs75ATk9oNktHJ5ZY5JoBxd3cuHNYxfzRh9M login2.gbar.dtu.dk (RSA) 256 SHA256:0TWdGR8PUDqnr0QsU5VXNCmUuT8vedL6wPBHF1WXnOk login2.gbar.dtu.dk (ED25519) 4096 SHA256:XimxoGl38Mv0uCDGBYt/WKSA0h+BZNYtqxk7bjxdUPA transfer.gbar.dtu.dk (RSA) 256 SHA256:m1aeLCrLRwt9VTLcjOCJlKceFPnWNK6OW1yRb7Y789E transfer.gbar.dtu.dk (ED25519)

ssh-security-considerations

We have tightened our ssh-security a little bit. To be able to connect to our setup your ssh-version needs to be OpenSSH-7.4-(or compatible) or newer. The newest putty&similar also work nicely. Outdated&Unsupported Linux-Distributions and almost outdated-Linux-Distributions (like Redhat-6.x) are not “new” enough to be able to connect to our systems.

Problematic are also ssh-clients based on “not really up-to-date” java-based ssh-libraries which are sometimes hidden within “commercial products” which don’t want to be named on this page. If you encounter such a problem when trying to connect within DTU to our systems: please open a ticket: support@cc.dtu.dk

ssh-agent forwarding is disabled due to security-considerations.

When using ssh-public-key-authentication: please use RSA with 4096 bits or the Elliptic-Curve-Krypto based on ed25519. Other “oldfashioned-crypto” like DSA&EDCSA as public-key-authentication will be blocked at the end of the year 2020.

But…..my ssh-client is complaning now…..How to get a valid-key again?

After this service window you can remove old keys manually either with editing your

~/.ssh/known_hosts

-file and removing the offending lines or with this command:

ssh-keygen -R <hostname>

so….for example:

ssh-keygen -R login2.gbar.dtu.dk

And then ssh into login2.gbar.dtu.dk again and check the key which is offered with the one on the top of this page and then confirm the fingerprint/hostkey.

 
But…this is messy: ssh-host-key-exchange(s) and how to get new keys in the future:

To get the updated public-host-keys in the future, please put this into your ~/.ssh/config (then your ssh-client is able to update your local ~/.ssh/known_hosts-file with updated keys and will remove old keys):

# ~/.ssh/config
Host *.gbar.dtu.dk *.hpc.dtu.dk
ServerAliveInterval 30 UpdateHostKeys yes

or make sure, that your ssh-client is asking you before doing any changes:

# ~/.ssh/config
Host *.gbar.dtu.dk *.hpc.dtu.dk ServerAliveInterval 30 UpdateHostKeys ask