Connecting for the first time

All connections to OLCF resources are done via Secure Shell (SSH). SSH encrypts the entire session between the user connecting and the OLCF systems and avoids risks associated with using plain-text communication.


To access OLCF systems, your SSH client must support SSH protocol version 2 (this is common) and allow keyboard-interactive authentication.

For UNIX-based SSH clients, the following line should be in either the default ssh_config file or your $HOME/.ssh/config file:

PreferredAuthentications keyboard-interactive,password

The line may also contain other authentication methods but keyboard-interactive must be included.

SSH clients are available for Windows-based systems, such as SecureCRT published by VanDyke software. For recent SecureCRT versions, the preferred authentication setting shown above can be made through the “connection properties” menu.


SSH multiplexing is disabled on all of the OLCF’s user-facing systems. Users will receive an error message if they attempt to connect to an OLCF resource that tries to reuse an SSH control path. To ensure SSH connections will not attempt multiplexing, you will need to modify your $HOME/.ssh/config file by adding the following:

Host *
  ControlMaster no

With an active user account, you’ll be able to log into any of the systems allocated to your project(s). All OLCF resources (except the Ascent training system) require two-factor authentication. This means you will need an OLCF-provided RSA SecurID fob to log into any of the systems.

For Windows clients, PuTTY and MobaXterm can also be used to provide SSH capability. Recent updates to Windows 10 have added built-in support for SSH. If it is not installed on your version of Windows, please refer to Microsoft’s documentation on OpenSSH.

Activating a new SecurID fob



When you first recieve your OLCF RSA SecurID fob, it will be deactivated and unusable. In order to have your RSA SecurID fob activated, you must return a notarized copy of the Notary Token Verification Form or otherwise have your identity verified by the OLCF (See Notary Instructions). You may schedule an appointment to have this step completed virtually with one of our staff.

  1. Initiate a SSH connection to

  2. When prompted for a PASSCODE, enter the 6-digit code shown on the fob.

  3. You will be asked if you are ready to set your PIN. Answer with “Y”.

  4. You will be prompted to enter a PIN. Enter a (4) to (6) digit number you can remember. You will then be prompted to re-enter your PIN.

  5. Allow the 6-digit code to change (codes regenerate every 30 seconds). Once the (6) digits on your fob change, enter your PIN followed by the new (6) digits displayed on the fob.

  6. Your PIN is now set, and your fob is activated for login to other OLCF systems.

Once activated, the RSA SecurID fob can be used to access OLCF systems. When initiating a SSH connection to a system, you will be prompted to enter your PASSCODE. Simply enter your PIN followed by the (6) digit code shown on your SecurID fob and press enter. For example, if your pin is 1234 and the (6) digits on the fob are 000987, you would enter 1234000987 when prompted for a PASSCODE.


The 6-digit code displayed on the SecurID fob can only be used once. If prompted for multiple PASSCODE entries, always allow the code to change between attempts. Re-using a code can cause your account to be automatically locked.

If you are an ORNL employee and are using an ORNL-distributed (not OLCF-distributed) SecurID fob, there is no need to follow the activation steps listed above. You may log into OLCF systems using your existing ORNL PIN + 6-digit tokencode.

PINs, Passcodes, and Tokencodes

When users connect with RSA SecurID tokens, they are most often prompted for a PASSCODE. Sometimes, they are instead prompted for a PIN (typically only on initial setup) and other times they might be prompted to wait for the tokencode to change and enter the new tokencode. What do these terms mean?

The TOKENCODE is the 6-digit number generated by the RSA token.

The PIN is a (4) to (8)-digit number selected by the user when they initially set up their RSA token.

The PASSCODE is simply the user’s PIN followed by the current tokencode.

These are relatively straightforward; however, there can be some confusion on initial setup. The first time a user connects with a new token (or, if for some reason the user requested that we clear the PIN associated with their token) they are prompted for a PASSCODE but in reality only enter a tokencode. This is because during this initial setup procedure a PIN does not exist. Since there is no PIN, the PASSCODE is the same as the tokencode in this rare case.

X11 Forwarding

Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local (e.g. on your desktop) X server. To set up automatic X11 forwarding within SSH, you can do one of the following:

1) Invoke ssh on the command line with:

$ ssh -X hostname

Note that use of the -x option (lowercase) will disable X11 forwarding.

2) Edit (or create) your $HOME/.ssh/config file to include the following line:

ForwardX11 yes

All X11 data will go through an encrypted channel. The $DISPLAY environment variable set by SSH will point to the remote machine with a port number greater than zero. This is normal, and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over an encrypted channel. The connection to the real X server will be made from the local machine.


Users should not manually set the $DISPLAY environment variable for X11 forwarding; a non-encrypted channel may be used in this case.

On Windows, PuTTY with xming support can be used to provide X11 forwarding.

Systems Available to All Projects

OLCF System Hostnames

System Name

Full Hostname

Hostkey Fingerprints

Home (machine)

  • RSA MD5: ba:12:46:8d:23:e7:4d:37:92:39:94:82:91:ea:3d:e9

  • RSA SHA256: FjDs4sRAX8hglzA7TVkK22NzRKsjhDTTTdfeEAHwPEA

  • ECDSA MD5: 8a:92:0f:31:4d:38:2d:2c:ec:7d:53:ce:8b:46:73:d6

  • ECDSA SHA256: 0hc6SDou8vauFWgOaeXKUmhDSmKK8roj9jWpapV4qzc

  • ED25519 MD5: 5c:a4:42:d4:51:b9:2a:4e:cb:ac:3b:3d:3f:b8:55:81

  • ED25519 SHA256: ZFrVqaDfFYd6MV6yA9r6qEKupJUqWkq8qwIVH2SNtPk

Data Transfer Nodes

  • RSA MD5: d1:c5:84:5b:88:d3:0e:81:33:a7:c2:5f:8a:09:b2:7f

  • RSA SHA256: xAIWJhey/RCjetTR4Hll2GNE9WwCNrMUEOdyDhIeHeE

  • ECDSA MD5: bd:52:af:c3:8b:ad:a3:30:4f:28:75:9c:79:84:68:cd

  • ECDSA SHA256: ITEbdZ0ddYNJJehefOh+/0JMgSvHwClpr+P+kak58Xc

  • ED25519 MD5: 76:89:40:82:a5:92:65:88:e1:90:57:e3:25:68:d5:60

  • ED25519 SHA256: svTxlziE4JOmVlvLp9PIa3uSHZdGokM/7EU8T6f6x0A


  • RSA MD5: 08:d0:fe:3f:f3:41:96:9c:ae:73:73:a8:92:6c:79:34

  • RSA SHA256: nA7X4qyPvtEpXWxG5MDeXEC8xfpmm0UMiLq/LkgM33I

  • ECDSA MD5: cf:32:f9:35:fd:3f:2a:0f:ed:d3:84:b1:2d:f0:35:1b


  • ED25519 MD5: 7a:fe:53:04:0c:4b:6d:dc:9e:f2:cc:dd:b0:bc:01:2c

  • ED25519 SHA256: JM2ZfZx2dVHW5AOLdnoRAm3Ui1faV6lqCLmyBd73g8k

Moderate-Enhanced Enclave Login Node

  • RSA MD5: 26:9d:38:64:57:73:3b:d3:0d:94:0d:ce:13:28:74:0a

  • RSA SHA256: srq2/sRnB+U1PmmZXhk2Z/RnycgHbP7JCbu6hmFdWz4

  • ECDSA MD5: b3:7d:a1:cb:90:92:31:78:03:84:ab:f6:8c:f2:8b:18

  • ECDSA SHA256: yRbaOHLGto08TYCKy9R182rd0PK6smHBxaLdJtRxuF8


  • RSA MD5: 17:4a:49:f8:37:e2:1b:7c:b5:23:b3:5c:64:3a:c5:07

  • RSA SHA256: R9/5L+ZQ9+pR/jThxbLmmmxBtxRfVt3MsEGPEhv1uTQ

  • ECDSA MD5: e4:a4:b4:4a:24:bf:53:e0:9a:c4:10:9f:9f:3a:ec:f4

  • ECDSA SHA256: F92QU1abt3tN2cgYwONJla0MoyV0srD3mNoyoFe5Cxo

  • ED25519 MD5: a0:75:f3:14:be:37:7f:7f:23:3c:ec:d6:d7:34:9b:50

  • ED25519 SHA256: Y5mXzGRGs12pM6a6HYTb6iamoRJLBMiCiypY15zzjR4


  • RSA MD5: 68:0f:21:93:4a:34:fd:6e:5c:35:8a:34:09:8e:d9:27

  • RSA SHA256: vIjuRocIuWExV4+htXgNKNAuFU16JL0opb6T4ajcfHk

  • ECDSA MD5: 28:08:bb:38:7a:6d:b1:0d:d1:fd:6d:a9:40:0a:5f:ae

  • ECDSA SHA256: bGyAOAnp4kfmmi23HRwqqJPWo7A6zDsUFpot9jqTR1U

  • ED25519 MD5: 29:81:b5:5f:ff:18:5a:d8:41:3f:4b:d5:15:39:ea:62

  • ED25519 SHA256: ALuNAoAykEUIJzwsExhCaTqwrqhnd4fssvVB4xK87bs

Occassionally, you may receive an error message upon logging in to a system such as the following:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

This can be a result of normal system maintenance that results in a changed RSA public key, or could be an actual security incident. If the RSA fingerprint displayed by your SSH client does not match the OLCF-authorized RSA fingerprint (shown in the table above) for the machine you are accessing, do not continue authentication; instead, contact

Starting a Tmux Session

Tmux is a terminal multiplexer available on that allows you to easily open multiple connections to OLCF machines in a single window. To start a session from home issue the following on the command line:

$ tmux

To detach from an active session, you can type Crtl-B D. If you aren’t sure what existing sessions you have running, you can type the following to list the sessions and attach to it by number (or name if you have assigned one):

$ tmux ls
1: 1 window (created Mon Apr 25 10:39:26 2022) [109x32]

$ tmux attach -t 1

You can kill an existing tmux session by its ID with the following

$ tmux kill-session -t 1

After creating your first tmux session, a configuration file called .tmux.conf will be automatically created in your home directory. You can edit this file to customize your tmux sessions. Check out the tmux documentation for more information on tmux commands and customization.

Checking System Availability

The OLCF home page includes a current status listing and scheduled downtimes for our major compute and storage resources. This information also has a dedicated Center Status page.