ssh-fingerprints/hashes of the public-keys for our login-nodes (all host-keys got exchanged in the service window 26/27 of July 2020)

This page is easily locatable with the keyword “fingerprint” on our homepage. Please always check when connecting the first time to our GBAR/HPC-setup that the fingerprints on this homepage are matching with the ones your ssh-client is asking you to confirm. Each server has a unique fingerprint. Also keep in mind that “different names” might cause trouble.

( and are pointing to the same machine, but have “different hostnames”, which create different entries in your local ~/.ssh/known_hosts file.)

Valid fingerprints after the 26/07/2020 service window:
4096 SHA256:YUSTE2mAA8ObrzhJlEZaVFXdUOP+ax8Ax8e9ObjlDOY (RSA)
256 SHA256:dgbs90pstBovEJm8kXWkYTmeJNqNWTNheOEPEvZCBCI (ED25519)
4096 MD5:dc:a6:71:56:e9:b0:0f:31:1f:11:dc:ff:e7:77:81:7b (RSA)
256 MD5:fe:f3:70:30:a9:f2:f3:e2:c5:7a:cc:b2:8a:5f:31:3c (ED25519) (login-nodes): 4096 SHA256:yPlWh07d1a6YtUNPJRT0NdxYDUXD56ZBMJiS3h/tQmI / / (RSA) 256 SHA256:vfc+kYH+/Vjgk9Ifq1ZsxPm2bOFfC/Z535T7sMSO1ps / (ED25519) 4096 SHA256:5vnARbg5huPjAKBPxxj779UYp/1312WIEcCOcY6zki4 / (RSA) 256 SHA256:c3YBugAWV8dhOfi07R+kmtk+RRd50tZ5tjm0wFjJmtQ / (ED25519) 4096 SHA256:Tdu8DxECjRCKKGCFaNdUo31/ys62td9YIDkertWQkZU / / (RSA) 256 SHA256:rVEL/26JE4fF0C9U/yZaVc9uXJCf7c5xlErG8hotjgU / / (ED25519) 4096 SHA256:3vb5eJYHs75ATk9oNktHJ5ZY5JoBxd3cuHNYxfzRh9M / (RSA) 256 SHA256:0TWdGR8PUDqnr0QsU5VXNCmUuT8vedL6wPBHF1WXnOk / (ED25519) (file-transfer-"only"): 4096 SHA256:XimxoGl38Mv0uCDGBYt/WKSA0h+BZNYtqxk7bjxdUPA (RSA) 256 SHA256:m1aeLCrLRwt9VTLcjOCJlKceFPnWNK6OW1yRb7Y789E (ED25519) with-ssh-key-only-and-please-protect-your-private-key-with-a-passphrase (for non-interactive-logins) - only reachable from within DTU and via DTU-VPN:
256 SHA256:aSOaIgOx9L13PITJDgpY6kycXrSVJ1c9j919YNvVruw (ED25519) 4096 SHA256:ejTZYQUkL6KtylMLavdLNbjUMCvk5jOElCWEmIZikCI (RSA) (experimental u2f-ssh-key-only for use with sk-*-public-keys): 4096 SHA256:S/ZWhDDRnJB8T3CAxqejuQBgpmwxDOvrkwYvjBOgIb4 (RSA) 256 SHA256:XGMBZImVGWD3tWEmFTYNyKvoxfoDQZXtGP0wnd3spSo (ED25519)

(experimental, don't use unless invited)
256 SHA256:XVvruP40CO57l6H06VDW9Vix9VXfsUNXoY4nXxJyfvo (ED25519)
3072 SHA256:++m9EF/OR8ehZWH3uyEU4o0OSp7nL39L/t0a0UaaoPk (RSA)

new gitlab-host-keys, valid since 27/08/2023 23:00) 256 SHA256:3zhgu0LoIcvQK2EaVpFfRidjoSaredKmCS0rk1JjdGA (ED25519)
4096 SHA256:DsTMUW2F9qyXx5b4MC1hCpRrupKBuOrn5KlH9OgYovw (RSA)

(expired gitlab-host-keys, not valid after 27/08/2023 23:00)
2048 SHA256:zjQZiREOKatcPNb14OBa1lu+QZ4ksWRdSK3/lISNqt8 (RSA)
2048 MD5:ba:ba:cf:a2:ea:95:e8:3a:f4:5b:5f:86:2e:37:54:79 (RSA)

We have tightened our ssh-security a little bit. To be able to connect to our setup your ssh-version needs to be OpenSSH-7.4-(or compatible) or newer. The newest putty&similar also work nicely. Outdated&Unsupported Linux-Distributions and almost outdated-Linux-Distributions (like Redhat-6.x) are not “new” enough to be able to connect to our systems.

Problematic are also ssh-clients based on “not really up-to-date” java-based ssh-libraries which are sometimes hidden within “commercial products” which don’t want to be named on this page. If you encounter such a problem when trying to connect within DTU to our systems: please open a ticket:

ssh-agent forwarding is disabled due to security-considerations.

When using ssh-public-key-authentication: please use RSA with 4096 bits or the Elliptic-Curve-Krypto based on ed25519. Other “oldfashioned-crypto” like DSA&EDCSA as public-key-authentication will be blocked at the end of the year 2020.

But… ssh-client is complaning now…..How to get a valid-key again?

After this service window you can remove old keys manually either with editing your


-file and removing the offending lines or with this command:

ssh-keygen -R <hostname>

so….for example:

ssh-keygen -R

And then ssh into again and check the key which is offered with the one on the top of this page and then confirm the fingerprint/hostkey.

But…this is messy: ssh-host-key-exchange(s) and how to get new keys in the future:

To get the updated public-host-keys in the future, please put this into your ~/.ssh/config (then your ssh-client is able to update your local ~/.ssh/known_hosts-file with updated keys and will remove old keys):

# ~/.ssh/config
Host * *
ServerAliveInterval 30 UpdateHostKeys yes

or make sure, that your ssh-client is asking you before doing any changes:

# ~/.ssh/config
Host * * ServerAliveInterval 30 UpdateHostKeys ask