Remote Connection via SSH Gateway

For connecting to systems hosted in NREL's high-performance computing (HPC) environment.

If you’re connecting remotely from a non-NREL computer, follow these instructions for connecting via the SSH gateway for alternative access to certain HPC systems that do not have dedicated external connection points to the internet.

Note: Kestrel users are best served by their dedicated external access points. See Connecting to HPC Systems for more information.  

For security reasons, you cannot use SSH gateway connections for tunneling, X11 visualization, or file transfers. You'll need a VPN connection for those tasks.

You'll need your HPC username, password, and a multifactor token to proceed. With that, you can SSH to the gateway server, and from there, jump to other HPC systems.

Gateway server: hpcsh.nrel.gov
Username: Your HPC username
Password: Your HPC password PLUS the 6-digit token

On Windows: Follow the PuTTY documentation to connect. Make sure to connect to host hpcsh.nrel.gov.

On Mac or Linux: Use the built-in Terminal app to execute the following command: 

ssh <username>@hpcsh.nrel.gov

The first time you log in you will be prompted to verify the RSA/ECDSA key fingerprint. Depending on which version of OpenSSH you're using, you will see one of the fingerprints below. Verify the fingerprint matches one of these and enter yes. If the fingerprint does not match, please contact us before proceeding or allowing the connection.

For the RSA key fingerprint (md5 hash in hex format)

Screenshot of the fingerprint

or for the ECDSA key fingerprint (md5 hash in hex format)

Screenshot of the fingerprint

As of February 2024, the following are the new SHA256 fingerprints (as shown in OpenSSH 6.8 and newer) for hpcsh.nrel.gov:

SHA256:ZFjSuC8Nx2NsW4dJ4SjhlFMC8xE/4lYDnvP6h0C1xGM hpcsh.nrel.gov (RSA)
SHA256:QQdXt/YK2UW0veHsor9vOfLBwB+8bE5SP8G6ng+/2ys hpcsh.nrel.gov (ECDSA)
SHA256:bQ8qR8vhRtK5DAO9WPBNfXVtBIUcy8aqdFa0a1DzhFs hpcsh.nrel.gov (ED25519)

 If you used hpcsh.nrel.gov prior to February 2024, you may see an error message that includes "@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @". If you see this error, you will need to delete the host fingerprint for the old hpcsh.nrel.gov stored on your computer.

To delete the old host fingerprint, you may either manually locate the line for hcpsh.nrel.gov in known_hosts and delete it (if your ~/.ssh/known_hosts file is plain-text/human readable) or you may run an ssh command to delete the entry automatically:

     ssh-keygen -R hpcsh.nrel.gov

Once the old key is deleted please ssh to the system again, and follow the fingerprint confirmation instructions above.

Example

Assume your username is juser, your password is ^somEAw40meB4zz, and the token displays 392954.

Windows: Open PuTTY and connect to hpcsh.nrel.gov

Mac or Linux: Open Terminal and run ssh [email protected]

At the password prompt, enter your password combined with the token display:
^somEAw40meB4zz392954

After a few seconds, you should be logged into the hpcsh gateway server. From there, you can ssh to HPC systems by executing the command: 

ssh <hostname>.hpc.nrel.gov

You will be prompted to log into the new system; use your username and password only (no token this time).

Contact

Having trouble? As always, contact us for assistance and we'll be happy to help.

Share

Last Updated April 10, 2025