Skip to end of metadata
Go to start of metadata

The SSH plugin (part of the gateway) allows Member State users to log into their shell account at ECMWF and execute commands directly on "ecgate". The first time you use SSH to ECaccess, you will see something like:

-> ssh
The authenticity of host ' (' can't be 
DSA key fingerprint is 9e:e3:f0:12:f5:08:61:d8:55:89:1a:40:e6:18:b8:42.
Are you sure you want to continue connecting (yes/no)? yes
   For further information, read the ECaccess
   documentation at:

   You can also use ECaccess to load/download
   files from your EChome, ECscratch  or ECfs
   directories using the ECaccess FTP server:

   Use your UID and the SecurID code to login!

Password authentication
uid's password ******

WARNING: if you get the following error message: "Unable to negotiate wit193.61.196.110 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1" then add the following options to the ssh command-line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostkeyAlgorithms=+ssh-dss -oCiphers=+aes128-cbc

Alternatively, for a more permanent workaround, add the following lines to ~/.ssh/config on your system:

     KexAlgorithms +diffie-hellman-group1-sha1
     HostkeyAlgorithms +ssh-dss
     Ciphers +aes128-cbc 

A new version of the ssh plugin will be delivered soon to avoid this problem.

You will then be prompted for your passcode (obtained by entering your PIN number into your security token), and then will get a UNIX prompt, typically '$' or '%'. A login with SSH puts you automatically in your home directory on ecgate.

Note that a different message may be displayed during your login procedure, as this message is customisable by the gateway administrator. This option gives the opportunity to broadcast important notes to Member State users (availability of a new product, disruptions planned for maintenance purposes, etc.). The SSH plugin supports only the interactive method of authentication described in Security authentication.

Note that the gateway at ECMWF will close SSH sessions idle for 6 hours. Note also that if you use a Member State ECaccess gateway, there is no need to use ssh, as the connection between the MS gateway and ECMWF is already secure. Using telnet will do. If you decide to use your MS gateway (and your gateway administrator has opened this service), you may need to contact port number 9022, like in:

-> ssh -p 9022 -l uid

1 Comment

  1. Hi Carsten,
    Few users wants to know when will this method change?
    Madhuri (Service Desk)