These are the instructions on how to install and configure your Teleport SSH access on Windows 10 and 11 using MobaXterm to connect to ECMWF services such as the Atos HPCF and ECS services.
Check the following pages if you are using another Windows method:
Teleport SSH Access - Windows Terminal and Powershell configuration
Teleport production services
We currently run two Teleport services in production:
- jump-17.ecmwf.int: Latest production service, recommended.
- jump.ecmwf.int: Legacy service, to be retired in October 2025.
If you are setting up the access for the first time, you should choose the recommended jump-17.ecmwf.int service.
If you are updating your setup to use the latest production service, jump-17.ecmwf.int, note that you will need to change BOTH the client installation and your ssh configuration (e.g. $HOME/.ssh/config file). Newer clients connecting to jump-17.ecmwf.int but using the old configuration (that will still refer to jump.ecmwf.int) will not work
Table of Contents
Demo
Here is a demonstration on how to set up Teleport to connect to our our Atos HPCF from your terminal on a Windows 10 or 11. You can find the step by step guide described below.
Installing the tsh client
The tsh application is required to perform user authentication.
tsh is open source, very portable, and has minimal dependencies.
The First of all, you must download the appropriate Teleport client. We recommend using the latest Teleport service:tsh application is required to perform user authentication. tsh is open source, very portable, and has minimal dependencies.
You will need to extract the zip file and put the "tsh.exe" executable somewhere in your PATH. The easiest way to do this is to:
- Open the zip file in your file browser
- Drag the teleport folder inside the file and drop into the directory of your choice (the main directory for your user, for example)
Open MobaXterm and start a local terminal.
Add to the PATH variable the location of the teleport directory. For example, if you dropped it on your main user directory (C:\Users\yourwindowsuser):
echo 'export PATH=/drives/c/Users/yourwindowsuser/teleport:$PATH' >> ~/.bashrc source ~/.bashrc
Authenticating yourself
The following commands need to be run on a MobaXterm local terminal
Once every 12 hours, you will need to refresh your tokens with the To authenticate yourself, run Your default web browser will open. You should login with your email address, ECMWF password, and then the code from your Time-based One-Time-Password (TOTP) device. Existing sessions If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. Browserless authentication If your computer does not have a browser or cannot display one, you may use the Teleport SSH access - Browserless Login Python Module for the authentication. If the process is successful, you will see an output such as: Subsequent logins Once you have logged int at least once, tsh will save your proxy settings so you can skip the extra argument next time: tsh command. SSH connections may remain active for longer than 12 hours, but new connections will require re-authentication.tsh, giving the location of our Teleport gateway:tsh login --proxy=jump-17.ecmwf.int
tsh login --proxy=jump.ecmwf.int
> Profile URL: https://jump-17.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump-17.ecmwf.int
Roles: access
Logins: ecmwfusername
Kubernetes: enabled
Valid until: 2025-03-21 20:25:29 +0000 GMT [valid for 10h35m0s]
Extensions: login-ip, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
> Profile URL: https://jump.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump.ecmwf.int
Roles:
Logins: ecmwfusername
Kubernetes: disabled
Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 4h37m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
tsh login
Setup your SSH config
We strongly recommend setting up all the SSH options needed for the connection instead of passing them on the command line. Edit the file Updating from a previous jump service If you have some configuration for a previous jump service at ECMWF, make sure you remove it (or move it aside) and replace it by the new one to avoid conflicts. Not sure about username and email? You can find the right values for those two parameters in the output of the tsh login command Now you should make the tsh internal directory where SSH certificates are generated visible within MobaXterm running the following command on a MobaXterm local terminal:~/.ssh/config in your MobaXterm local terminal and add the snippet below. You may create it if it does not exist. You should replace ecmwfusername by your registered ECMWF user and user.address@somewhere.com by your registered email address at ECMWF.Host *.jump-17.ecmwf.int jump-17.ecmwf.int* a?-* a??-* hpc-* ecs-* hpc2020-* lfc?-* ecf?-* ecflow-* ecinteractive*
User ecmwfusername
UserKnownHostsFile ~/.tsh/known_hosts
IdentityFile ~/.tsh/keys/jump-17.ecmwf.int/user.address@somewhere.com
CertificateFile ~/.tsh/keys/jump-17.ecmwf.int/user.address@somewhere.com-ssh/jump-17.ecmwf.int-cert.pub
ServerAliveInterval 60
TCPKeepAlive yes
Host !jump-17.ecmwf.int *.jump-17.ecmwf.int
ProxyCommand tsh proxy ssh --cluster=jump-17.ecmwf.int --proxy=jump-17.ecmwf.int:443 %r@%h
Host hpc-login ecs-login
Hostname %h.jump-17.ecmwf.int
ProxyCommand tsh proxy ssh --cluster=jump-17.ecmwf.int --proxy=jump-17.ecmwf.int:443 %r@%h
# Extra configuration for additional internal hosts through the main entry point
Host a?-* a??-* hpc-* hpc2020-* lfc?-* ecf?-* ecflow-* ecinteractive* !hpc-login* !ecs-login* !*.jump-17.ecmwf.int*
ProxyJump hpc-login.jump-17.ecmwf.int
# Replace by ecs-login.jump-17.ecmwf.int if only ECS access
Host jump.ecmwf.int a?-* a??-* hpc-* hpc2020-* ecs-* ecinteractive*
User ecmwfusername
IdentityFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com
CertificateFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
ServerAliveInterval 60
TCPKeepAlive yes
Host a?-* a??-* hpc-* hpc2020-* ecs-* ecinteractive*
ProxyJump jump.ecmwf.int
ln -s /drives/c/Users/yourwindowsuser/.tsh ~/
SSH connection
The following commands need to be run on a MobaXterm local terminal
Once you have configured the appropriate settings, any SSH-based tools such as To test the connection you may ssh into hpc-login if you have access to ECMWF's HPCF: Or alternatively, if you only have access to ECMWF ECS service: Visit our HPCF User Guide for further information. tsh login every 12 hours Remember you may need to redo the authentication step for any new ssh connections after 12 hours with:ssh, scp or rsync should work out of the box without any additional options.ssh hpc-login
ssh ecs-login
tsh login
Alternative connection method with tsh
You may use the tsh client to connect without any modifications to your ~/.ssh/config with:
tsh ssh hpc-login
or
tsh ssh ecs-login
The target platforms you can connect to can be listed with
tsh ls
scp file transfers through the tsh client are also possible. For example, to transfer a file from your computer to your HOME in hpc-login:
tsh scp myfile hpc-login:
Compatibility with other tools
If you choose this method and do not configure your ~/.ssh/config, you will not be able to use other tools that rely on a standard SSH connection, such as ssh itself, scp, rsync or VSCode.
Troubleshooting
If you cannot login to teleport or connect via SSH and you are not able to understand why, please raise an issue to our ECMWF Support portal and sending us the output of the commands: You should also include information about your computer (Operating system) to help us narrow down the problem.tsh version
tsh login --proxy=jump-17.ecmwf.int
ssh -V
ssh -v ecs-login
tsh version
tsh login --proxy=jump.ecmwf.int
ssh -V
ssh -v ecs-login