Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.
It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Support.
Warning |
---|
This service is under development and not widely accessible. Please continue to use the existing ECAccess service! |
Table of Contents | ||
---|---|---|
|
Downloading tsh
The tsh
application is required to perform user authentication once every eight hours.
tsh
is open source, very portable, and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.
User Authentication
Once every eight hours, you will need to refresh your tokens by logging in to the ECMWF website.
First Time
Run tsh
, giving the location of our gateway:
Code Block | ||
---|---|---|
| ||
tsh login --proxy=shell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.
Subsequent Occasions
Code Block | ||
---|---|---|
| ||
tsh login |
Info |
---|
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
Connecting to hosts through the gateway
OpenSSH 7.3 or klater has a simple command line option to connect via our gateway (shell.ecmwf.int
) to the destination-host
:
Code Block | ||
---|---|---|
| ||
ssh -J username@shell.ecmwf.int username@destination-host |
For example, if your username is ab0
and you wish to connect to ecgate
:
Code Block | ||
---|---|---|
| ||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting for this is named ProxyJump
:
Legacy Configuration
For OpenSSH clients older than 7.3, the following will work in your ~/.ssh/config
file:
Code Block | ||
---|---|---|
| ||
Host ecgate Username ab0 ProxyCommand /usr/bin/ssh -q -W %h:%p shell.ecmwf.int |
Configuring passwordless login
With the initial configuration you may be prompted for a password at the destination-host
.
For login without a password, add the Teleport certificate authority to your ~/.ssh/authorized_keys
file:
Code Block | ||
---|---|---|
| ||
curl -fs https://nexus.ecmwf.int/repository/internal-teleport-configs/prod/teleport_user_ca.pub >> ~/.ssh/authorized_keys |
Tip |
---|
This configuration will allow access to any host which mounts the same |
SCP, X11 and Port Forwarding
scp and port forwarding will all work through the Teleport gateway.
Note |
---|
X11 forwarding will work in a couple of months when we have an update from the vendor. |