Skip to content

Docs CSC now features an automatic Finnish translation. Click here for more information.

Warning!

Puhti and Mahti are being decommissioned in stages, and their storage areas will become fully unavailable from 15 October 2026. Clean up unnecessary files and move any data you need to keep by 31 August 2026. See the Roihu data migration guide for instructions on transferring your data to Roihu.

Puhti scratch is very full: keep only active data there and move or delete everything else. No new Puhti scratch quota will be granted.

SSH client on Windows

There are various programs that can be used for creating a remote SSH connection on a Windows system. This page provides instructions for three popular alternatives: MobaXterm, PuTTY and Windows PowerShell. PowerShell is included by default to all modern Windows machines. MobaXterm and PuTTY need to be installed.

For file transfer popular options are WinSCP, FileZilla, Cyberduck and MobaXterm SFTP browser.

For using SSH clients with CSC supercomputers SSH keys are required.

In Windows, 2 different key types are widely used:

  • OpenSSH keys (the same as for Linux/Mac), used with MobaXterm, PowerShell and Cyberduck.
  • PuTTY keys .ppk, used with PuTTY, MobaXterm, WinSCP, FileZilla and Cyberduck.

Windows SSH and SFTP tools for Roihu

SSH certificates are required to connect to Roihu over SSH

To connect to Roihu, users must sign their public key in MyCSC to obtain a time-based SSH certificate. Each certificate is valid for 24 hours, and once it expires, a new one must be generated by signing the public key again.

Read the detailed instructions on signing your public key.

CSC provides two options for this:

So for Roihu, consider also how different tools support updating the SSH certificate:

Tool Roihu, option 1 Roihu, option 2
MobaXterm, inc SFTP browser 🆗 🆗
Putty 🆗 🆗
PowerShell 🆗 🆗
WinSCP Difficult 🆗
FileZilla Difficult Only with PageAnt
Cyberduck 🆗 with OpenSSH key, difficult with Putty key 🆗

For initial use and light usage, Roihu's web interface might be the easiest starting option as it provides access to login and compute node shells as well as a graphical file moving tool.

Generating SSH keys

Using SSH keys

See the page on setting up SSH keys for general information about using SSH keys and certificates for authentication. Please note that it is mandatory to add your public key to MyCSC – copying it directly to a CSC supercomputer does not work!

Supported key types are Ed25519 and RSA 4096 through 16384. We strongly recommend Ed25519.

Depending on the tools you plan to use (see above) for SSH connection and moving files, generate right type of SSH keys.

You can generate PuTTY SSH keys using the PuTTYgen or MobaKeyGen tools. Normally, PuTTYgen does not need to be installed separately, as it comes bundled with the PuTTY installation package. MobaKeyGen is included in the MobaXterm installation.

Launch PuTTYgen or MobaXterm and follow the tutorial to set up SSH keys. Although the tutorial is formally written for MobaKeyGen, the instructions can easily be adapted for PuTTYgen as the user interface is virtually identical.

You may also consult the PuTTYgen documentation or the relevant SSH Academy tutorial.

To generate SSH keys using MobaXterm or PowerShell, open the terminal and run:

ssh-keygen -a 100 -t ed25519

If you have not set up SSH keys before, feel free to accept the default name and location by pressing ENTER (recommended). However, if using the default file name would overwrite an existing key, you will receive a warning that looks like this:

/home/<username>/.ssh/id_ed25519 already exists.
Overwrite (y/n)?

Generally, you do not want to overwrite existing keys, so enter n, run ssh-keygen again and enter a different file name when prompted. See also the section on SSH key files with non-default name or location.

Next, you will be asked for a passphrase. Please choose a secure passphrase. It should be at least 8 characters long and contain numbers, letters and special characters. Never leave the passphrase empty when generating an SSH key pair!

If you want your generated keys to persist through MobaXterm restarts, set a persistent home directory for MobaXterm in the program settings (Settings --> Configuration --> General). Note, this is only required if you have generated your keys via the terminal, not MobaKeyGen.


PuTTYgen or MobaKeyGen can also be used for converting keys from OpenSSH to Putty format and vice versa.

After you have generated an SSH key pair, you need to add the public key to the MyCSC portal. To connect to Roihu, you must also sign your public key to obtain a time-based SSH certificate which is required for authentication.

You may also wish to configure authentication agent to make using SSH keys more convenient.

Basic usage

After setting up SSH keys, adding your public key to MyCSC and downloading an SSH certificate (required for Roihu only) you can connect to a CSC supercomputer.

To connect using MobaXterm, open the terminal and run:

# Replace <username> with the name of your CSC user account and
# <host> with "puhti", "mahti", "roihu-cpu" or "roihu-gpu"

ssh <username>@<host>.csc.fi

This assumes that the SSH keys (and certificate for Roihu) are saved in a standard location using standard naming:

  • Private key: ~/.ssh/id_<algorithm>
  • Public key: ~/.ssh/id_<algorithm>.pub
  • Certificate: ~/.ssh/id_<algorithm>-cert.pub

where <algorithm> is either ed25519 or rsa.

Alternatively, you may connect using the GUI following this tutorial.

When you launch PuTTY, you are asked to configure your SSH session. Do so according to the table below:

Option Value
Host Name puhti.csc.fi or mahti.csc.fi
Port 22
Connection type SSH
Connection -> Data -> Auto-login username csc_username

It is recommended to use PageAnt for providing your SSH keys. If you do not use PageAnt, add the keys manually: select the private key and certificate file (only if connecting to Roihu) under Connection --> SSH --> Auth --> Credentials.

Finally, click Open. If you do not use PageAnt, your SSH key passphrase is asked.

If you are connecting for the first time, PuTTY will ask if you trust the host. Click Accept.

Open PowerShell and run:

# Replace <username> with the name of your CSC user account and
# <host> with "puhti", "mahti", "roihu-cpu" or "roihu-gpu"

ssh <username>@<host>.csc.fi

This assumes that the SSH keys (and certificate for Roihu) are saved in a standard location using standard naming:

  • Private key: ~/.ssh/id_<algorithm>
  • Public key: ~/.ssh/id_<algorithm>.pub
  • Certificate: ~/.ssh/id_<algorithm>-cert.pub

where <algorithm> is either ed25519 or rsa.

Corrupted MAC on input

When connecting using the OpenSSH client software on Windows, you might encounter an error stating "Corrupted MAC on input". This is a known issue, and can be avoided by explicitly choosing a different MAC algorithm. For details, please see our FAQ page on the topic.


SSH key or certificate file with non-default name or location

If you are connecting via the MobaXterm terminal or PowerShell, and have stored your SSH key and/or certificate file with a non-default name or in a non-default location (somewhere else than ~/.ssh/id_<algorithm>), you must tell the ssh command where to look for these files. Use option -i as follows:

# Replace <username> with the name of your CSC user account,
# <host> with "puhti" or "mahti" and <path-to-private-key>
# with the path to your SSH private key

ssh <username>@<host>.csc.fi -i <path-to-private-key> -i <path-to-certificate>

Graphical connection

Note

For performance reasons, we generally recommend using the HPC web interfaces to run applications which require displaying graphics.

To enable displaying graphics over SSH, use the -X (X11 forwarding) or -Y (trusted X11 forwarding) option when creating the connection:

ssh -X <username>@<host>.csc.fi

When connecting using the MobaXterm GUI, ensure the X11-Forwarding option under Session --> SSH --> Advanced SSH settings is toggled.

If you want to create a connection with graphical support, you can use, for example, the Xming X server. To enable displaying graphics remotely, select Enable X11 forwarding in the PuTTY program settings (Connection --> SSH --> X11).

If you want to create a connection with graphical support, you can use, for example, the Xming X server. To enable displaying graphics remotely, run:

$env:DISPLAY="localhost:0.0"

Then, use the -X (X11 forwarding) or -Y (trusted X11 forwarding) option when creating the connection:

ssh -X <username>@<host>.csc.fi

Authentication agent

SSH authentication agents help managing your keys and their passphrases. It can hold your SSH keys and certificates in memory.

Different authentication agents work with different tools:

  • PageAnt: PuTTY, WinSCP, FileZilla, MobaXterm, Cyberduck
  • Window ssh-agent: PowerShell, Cyberduck, MobaXterm
  • MobAgent: MobaXterm

Authentication agents with Puhti, Mahti and LUMI

Puhti, Mahti and LUMI do not use SSH certificates, so adding keys to SSH authentication agents is done once and can be used for longer time. Below are the instructions for adding SSH keys to SSH agent manually.

  1. Start Pageant. It will put an icon into the System tray.
  2. Right-click the Pageant icon and select View Keys from the menu to show the private keys Pageant is holding. When you start Pageant, it has no keys, so the list box will be empty.
  3. Press the Add Key button to add a key to Pageant.
  4. Find your private key file in the Select Private Key File dialog, and press Open. Pageant will ask you to enter the key passphrase.
  5. Now start PuTTY or other Pageant supported tools. PuTTY will notice that Pageant is running, retrieve the key automatically from Pageant, and use it to authenticate. You may now open as many sessions as you like without having to type your passphrase again.

Windows ssh-agent service is usually stopped or disabled in Windows by default, and starting it requires administrator privileges.

Run the following commands in an elevated PowerShell prompt:

# Configure ssh-agent to start automatically.
Get-Service ssh-agent | Set-Service -StartupType Automatic

# Start the service.
Start-Service ssh-agent

# The following command should return a status of Running.
Get-Service ssh-agent

# Load your key files into ssh-agent.
ssh-add $env:USERPROFILE\.ssh\id_ed25519

After you add the key to the ssh-agent service on your client, the ssh-agent service automatically retrieves the local private key (and certificate) and passes it to your SSH client.

MobaXterm has internal MobAgent, but it supports also Pageant and Windows ssh-agent. They can all be used at the same time if you wish.

  1. Enable MobAgent: Settings --> Configuration --> SSH --> SSH agents.
  2. Add your key file, click the + button and select the private key(s) you want to load at startup.
  3. Click OK and restart MobaXterm. You'll be prompted to enter your key passphrase.

Authentication agents with Roihu

In Roihu, besides SSH keys a SSH certificate is required. If using SSH agent, a new SSH certificate must be added daily. CSC provides two options for this:

Option 1 can be used out-of-the-box, without any additional installations. Option 2 provides an easier and more streamlined process to sign and download the SSH certificates for connecting to Roihu, but requires you to download a script and to have Python and WinSCP installed. Importantly, it also automatically adds your SSH keys and certificate to Windows ssh-agent and/or Pageant. The script does not update MobAgent, so using Pageant is recommended for MobaXterm-users.

Option 1 requires some extra steps for adding the SSH certificate to the SSH agent.

To add your SSH certificate to MobAgent or Pageant, you must first "combine" the certificate and the PuTTY .ppk private key.

  1. Open PuTTYgen or MobaKeyGen (Tools tab of MobaXterm).
  2. Load your private key (File --> Load private key).
  3. Add a valid certificate to the key (Key --> Add certificate to key). The validity period can be checked by selecting Certificate info.
  4. Save the private key as <key>-cert.ppk, e.g. id_ed25519-cert.ppk.
  5. The new private key including the certificate can now be added to Pageant and/or MobAgent following the instructions above. A successfully combined key and certificate will show up as Ed25519 cert in Pageant/MobAgent.

Users of Windows ssh-agent must make sure to store their manually downloaded SSH certificate in the same directory as the SSH private key and name it as <private-key-name>-cert.pub to be able to add it to SSH agent with ssh-add command. If successful, ssh-add outputs:

Certificate added: C:\Users\<username>\.ssh\id_ed25519-cert.pub

If the certificate is stored and/or named in any other way, it cannot be added to the authentication agent because OpenSSH uses hard-coded naming conventions.


Please note:

  • If you intend to connect to Roihu via a jump host (e.g. when transferring data from another CSC server to Roihu), also the SSH certificate must be added to the SSH agent so that it can be properly forwarded.
  • Alternatively, you may connect to Roihu and pull data from servers that do not require a SSH certificate (e.g. Puhti or Mahti). In this case it is enough to forward only your SSH keys.
  • Read more about SSH agent forwarding below.

SSH agent forwarding

Note

You should only forward your SSH agent to remote servers that you trust and only when you really need it. Forwarding your SSH agent by default to any server you connect to is considered insecure.

Agent forwarding is a useful mechanism where the SSH client is configured to allow an SSH server to use your local ssh-agent on the server as if it was local there. This means in practice that you can, for example, connect directly between CSC supercomputers using the SSH keys and certificates you have on your local machine, i.e. you do not need to create a new set of SSH keys on CSC supercomputers.

Agent forwarding is also very handy if you need to copy data directly between CSC supercomputers, or, for example, push to a private Git repository from CSC supercomputers.

When using a local terminal, enable agent forwarding by including the -A flag to your ssh command:

ssh -A <username>@<host>.csc.fi

In the MobaXterm GUI, agent forwarding is enabled by toggling the Allow agent forwarding option found under Session --> SSH --> Advanced SSH settings --> Expert SSH settings.

To enable agent forwarding in PuTTY, first make sure Pageant is running. Then, toggle the Allow agent forwarding option found under Connection --> SSH --> Auth before creating a new session.

To enable agent forwarding in PowerShell, include the -A flag to your ssh command:

ssh -A <username>@<host>.csc.fi

Once connected, you may verify that SSH agent forwarding worked by running:

ssh-add -l

If you see the fingerprint(s) of your SSH key(s) and certificate(s) listed, agent forwarding is working. Associated SSH keys and certificates in the authentication agent have the same fingerprints and are annotated with <ALGORITHM> and <ALGORITHM>-CERT, respectively. For example:

256 SHA256:ZXG7TvhDAWOv8VveFAlt/UYarsO9Nx5md4owX+FE5/M optional_comment (ED25519)
256 SHA256:ZXG7TvhDAWOv8VveFAlt/UYarsO9Nx5md4owX+FE5/M optional_comment (ED25519-CERT)

If you're using a combined SSH key and certificate file (PuTTYgen and MobaKeyGen methods), you should only see the <ALGORITHM>-CERT line.