You are here: Home / My DKRZ / SSH


The Secure Shell (SSH) protocol is used to access all interactive nodes on Mistral.


SSH client programs are available for all major operating systems. We will focus here on openssh which ships with Linux, MacOS, and Windows 10. Other client programs will probably also work but cannot be tested and supported by DKRZ.

Access Mistral

Use the following command to access one of our login nodes

ssh <user-account>

in which <user-account> must be replaced by your individual account.

Public Key Authentication

The default password authentication is neither comfortable nor very secure. In order to use public key authentication, you have to generate a key pair and upload the public key to DKRZ. The command for key generation is ssh-keygen. It supports different key types. We recommend ed25519 keys.

ssh-keygen -t ed25519

Please use a strong passphrase to secure your key. By default, this created two files named id_ed25519 and

ls ~/.ssh/

The file ending with .pub has to be uploaded to First press "Add key"


The public key can be selected from a file by pressing the "Browse" button or pasted directly into the Key input field. After pressing "Register key", the key is uploaded to the server. In order to use it on mistral, you have to provide your LDAP password.

After that your key should be active and ready to use.

Key validity

For most key types, the validity or lifetime of the keys is six weeks. A longer lifetime is allowed for keys using hardware tokes (see below). You should receive an e-mail one day before the key expired. You then have to upload a newly created one to continue using public key authentication.

Managing Multiple SSH Keys

You may require multiple SSH keys for different computer centers. Reasons for this are added security and the fact that policies for key properties and lifetime may differ from site to site.

To prevent your SSH client from trying out all available keys, you should tell it exactly where to use which key. For this purpose you can create or edit the configuration file in ~/.ssh/config.

Host *
        IdentityFile ~/.ssh/id_ed25519
        IdentitiesOnly yes

This tells ssh to use only the key ~/.ssh/id_ed25519 to log into any host at DKRZ.

FIDO/U2F hardware authenticators

OpenSSH starting with version 8.2 supports FIDO/U2F hardware authenticators or tokens. We allow a lifetime of 365 days for SSH keys which work in conjunction with such a token. Your client has to be OpenSSH 8.2 or more recent and you need the token. Look out for FIDO certification. U2F and FIDO2 both work but FIDO2 is more future-proof.

The key type is ed25519-sk

ssh-keygen -t ed25519-sk

You should notice the extended lifetime when you upload the public key to For authentication with mistral, the token has to communicate with your local device (via USB, NFC, etc.) and you have to touch it to confirm your presence.

Document Actions