...
| Warning |
|---|
This service is under development and not widely accessible. Please continue to use the existing ECAccess service! |
| Table of Contents | ||
|---|---|---|
|
Downloading tsh
The tsh application is required to perform user authentication once every eight hours.
...
Run tsh, giving the location of our gateway:
| Code Block | ||
|---|---|---|
| ||
tsh login --proxy=shell.ecmwf.int:443 |
...
Subsequent Occasions
| Code Block | ||
|---|---|---|
| ||
tsh login |
| Info |
|---|
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
Connecting to hosts through the gateway
OpenSSH 7.3 or newer klater has a simple command line option , to connect via our gateway (shell.ecmwf.int to ) to the destination-host:
| Code Block | ||
|---|---|---|
| ||
ssh -J username@shell.ecmwf.int username@destination-host |
For example, if your username is ab0 and you wish to connect to ecgate:
| Code Block | ||
|---|---|---|
| ||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
...
For OpenSSH clients older than 7.3, the following will work in your ~/.ssh/config file:
| Code Block | ||
|---|---|---|
| ||
Host ecgate Username ab0 ProxyCommand /usr/bin/ssh -q -W %h:%p shell.ecmwf.int |
Configuring
...
passwordless login
With the initial configuration you may be prompted for a password at the destination-host.
For login without a password, add the Teleport certificate authority to your
At the destination host end, openssh needs to be configured to trust the SSH Certificate that your client is passing.
This can be done at the server level for all users, or by an individual user within their own account.
| Info |
|---|
If a user configures this for their own account, it will potentially allow access to any other system using the same |
A user can add the following to their ~/.ssh/authorized_keys file:
| Code Block | ||
|---|---|---|
| ||
cert-authoritycurl ssh-rsafs AAAAB3NzaC1yc2EAAAADAQABAAABAQDN85frMTtRzQaVjkHGM3NTOJDhttps:/5awWn2i1sAofzlO0PXM1jX/H+4zQKn1+ATUqU+TTU2v3V7fhZm0cWqRrofSLDVC80FkCFqzZRq2E4kMBP5sx4yf/mBKLzJ6luE8eV/3W0V6KEch5TV2ON8ltwFPWjB3D/puPU010UOJH/arlpW5h+n9dAtBCAtVuMYBEz/5uWcKcTJkFe2usQTVmpiEmt/yAx4LfLTFPs2+izLo+N3dBW92HFnKnQftZI5s8ysOENbKmxdWfcxdID5E91oneAvkmEKBeUutlYY3GV9621iuKnlEw6WF8wfQapdozzhSyb+LhqPDiBRotnerhA69/ clustername=tele&type=user |
A server administrator can place the same key into /etc/ssh/teleport-user-ca.pub
They would then add the following to their /etc/ssh/sshd_config file:
| Code Block |
|---|
AuthorizedKeysFile /etc/ssh/teleport-user-ca.pub /nexus.ecmwf.int/repository/internal-teleport-configs/prod/teleport_user_ca.pub >> ~/.ssh/authorized_keys .ssh/authorized_keys2 |
| Tip |
|---|
Having a dedicated file for the trusted key means that it can easily be rotated using configuration automation.This configuration will allow access to any host which mounts the same |
SCP, X11 and Port Forwarding
scp , X11, and port forwarding will all work through the Teleport gateway.
Of course, such features also need to be permitted on the destination server or workstation.
| Note |
|---|
X11 forwarding will work in a couple of months when we have an update from the vendor |
| Tip |
See the |