NERSCPowering Scientific Discovery Since 1974

SSH Key Fingerprints

Occasionally maintenance on NERSC systems results in the SSH host key changing. On the first time you attempt to log in after this, ssh will stop with a warning like:
"WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" (Linux/Mac) or "WARNING - POTENTIAL SECURITY BREACH!" (Windows)

Do not ignore these warnings! 

The correct host key fingerprint for Cori is:

2048 SHA256:mR3sHwHorgjqRlUbggtfOCa768/uKdbNb2TOH8xDMn8

And for Edison:

4096 SHA256:cbyxNBzfC7hvN56EpYFnYN/YpLY/cQEverdcbpIYjL8

For PDSF:

1024 3d:28:24:53:66:de:30:9e:eb:25:3b:03:b0:24:1c:77

You can replace entries in your ~/.ssh/known_hosts file that begin with "cori" and "edison" with the following entries (Note: there is a single line for cori and a single line for edison):

cori.nersc.gov ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvoau+F7fGIHuvcDZZSG7dD2J7hgo3RupUL6Jaw978mb
P3h2Dt/b8F5EHniGOw1sxYrm3wjerF3I1jTYLM6ORndbw+4FeyVgXiAUTTdKl9suhfDTm2aFry
WanMnbknktNYbzLdyg1SdUMHhlcxXCniuPO7j0JMECkXZvuRBWDeeO8FQWcGrOIorCoU0liWgX
c0NoEs9IzyK2N4ywExwljpMs7vKwasz8qyjHB2aYaj6cHjV2ShCp+aevPdp1jfBtIgJUMkjMEa
+0K4zWM0aDzZEaj7vIlKpUCDAdQf/DsPoj808KOKLw0+Bs0qamX+D7+aXsPVG/jfBY5wSCgjlhqn

edison.nersc.gov ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDpzjkAkaxZS7dCRQeGCDxcdJd
ZykF4mNxjFUKOGcAC9aqv2+5S6gHvjH8PksDUI2G1g9Tln3O1Y5l/bMIoNpDPO7neZe0IXsQKO/HNsBP
kaHmaeZmvuZmnx6JC1SXh/e/YPQ5Kbef3rL0QM0WmlFoBTng3FA+8J9E0uAJjvOjiOxOA+Nsb9niqAwe
vgGDyaosgGD7+y6RyMt38nkNcX3RhYXqgtkzFLqkPYsITz3wLrRAttMBPx7qdlQ/lxEnINj/g+XUpEsv
JyUl8V5ldz8o0ts2MQkb2tuBgBTeL3MDHlxD4Kie40byTmOVYSNlOiWih0rNQPOZmsjr9UqCB+GE/oWF
R/3/gDoGanY42U7I0echn8lTNk6Una40FipL5CElGKjcBOS9PMp2NkGXy5So0xRDrWYP2TRo2ED5r/8v
PtbbJxh/jvN34GWgj3qGLE6HKLcgj8gi2tHx5pBgoo6bLqEbgDlwz1E2ObVuOnSRuXvfdvwUTJ0SZVyt
8gHMETaKpj4Ah3ylEBGtF++x+7W9N3QF37zX2kkFoaOGQBhLvOKhyNoO+Ak0rNmuTZQAa8QBB9p8VpaY
FwEpn+dU37iroNWtXXkaqCC5ke9kkB89U1S0L9AEIZTvwlkndcldMq6MN3Q+PrVBqQDO9Tmmm1384f7w
SHkp5b1LTxtqICFe7FQ==
 

 

If your ssh client reports Cori and Edison fingerprints in "3d:28:24"..etc" format then it is using md5 rather than sha256 to report the fingerprint. Consider updating to a newer ssh client, or to see the fingerprint in the sha256 format shown here, add the FingerprintHash=sha256 option to your ssh command, eg:

 

ssh -o FingerprintHash=sha256 -l my_user_name edison.nersc.gov

 

If you still see warnings about security breaches after replacing your cached host key with one of the above, please contact consult@nersc.gov