CSD3 Host Keys¶

The SSH host keys have the following fingerprints (which of these hashes you see when first connecting to the login nodes will depend on your client).

CSD3 Key Fingerprints¶

When accessing any destination matching the pattern login*.hpc.cam.ac.uk:

ED25519
=======
SHA256:nFVSXK+VRGCaUupQEdhXzO6kp01m2fzzmbgPr0sc2so
MD5:eb:e3:a1:f0:64:68:cf:9c:63:da:84:db:2e:ee:15:83

RSA
===
SHA256:2rl+MXd9rsrDzFZwEItmhhiHTlLTIqN0d3TSGLTgjTI
MD5:fd:5c:6b:7d:49:95:2f:da:7f:5c:50:9a:bb:ef:3f:24

RDS Key Fingerprints¶

When accessing rds.uis.cam.ac.uk:

ED25519
=======
SHA256:O3h75pURCguI2SmWswWXjLLUT7Jw2fTkW4um3BJvTOc

RSA
===
SHA256:HJP57qRKv7Xq4YdPhKzg7OwLshecBcDFq3YJ727ro8k

ECDSA
=====
SHA256:wmwNDvP3lw6GsyMcG0J2MEevRBpnvI232Ms4Km+2QQw

First-time login¶

When connecting via UNIX ssh to a CSD3 server for the first time from a particular local machine, one sees a message similar to this:

The authenticity of host 'login.hpc.cam.ac.uk (128.232.224.51)' can't be established.
ED25519 key fingerprint is SHA256:nFVSXK+VRGCaUupQEdhXzO6kp01m2fzzmbgPr0sc2so.
ED25519 key fingerprint is MD5:eb:e3:a1:f0:64:68:cf:9c:63:da:84:db:2e:ee:15:83.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Note that the details you see may differ from the above, but the fingerprints reported must match the hashes listed, otherwise do not proceed but contact support@hpc.cam.ac.uk. Assuming the fingerprints are as expected, then respond yes (note that here simply typing y will not work). If you have the option, fingerprint, you can paste in a key from this page to be checked against the server key automatically.

Having accepted the new host keys, you should not be asked to accept them again when contacting the same named destination from the same local machine (at least until the next time the host keys are refreshed, or unless you delete the relevant lines from your ~/.ssh/known_hosts file). You may still see occasional warnings about keys for different IP addresses being accepted - since each destination name may map to multiple IP addresses, this is to be expected.

Other SSH-based applications such as putty, WinSCP, x2go etc will also request that you explicitly accept the host key during first-time login. Once again, only do this if the fingerprints match those listed on this page.

Checking which host keys you have accepted¶

This section applies if your local machine runs Linux or MacOS.

In order to check which SSH host keys you have previously accepted for a particular destination, e.g. login.hpc.cam.ac.uk, you may use the following command (tested under OpenSSH):

ssh-keygen -l -F login.hpc.cam.ac.uk

This command will print the fingerprints of the relevant SSH host keys currently stored in your ~/.ssh/known_hosts file. If you see old fingerprints reported on certain line numbers, you can simply open ~/.ssh/known_hosts with a text editor and remove those lines.