Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
Web single sign-on using ECMWF's website and the HID token
Re-authentication required only every 12 hours (once per day)
Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
Web-SSH interface for in-browser terminal access, with scp
X11 and Port forwarding

The single sign-on step is performed using an application called "tsh", every 12 hours.

After that you use standard ssh or scp to connect to systems inside ECMWF.

Alternatively you can have simple Gravitational Teleport.

Downloading `tsh`

The tsh application is required to perform user authentication once every 12 hours.

...

Code Block

language	bash

ssh -J ab0@shell.ecmwf.int,ab0@workstation ab0@lxc

Configuring

...

Tip
The CENTOS 8 Linux VDI beta service already supports automatic password-less login - you can skip this procedure.

With the initial configuration you may be prompted for a password at the destination-host.

For login without a password, add Add the Teleport certificate authority to your ~/.ssh/authorized_keys file:

...

Tip
This configuration will allow access to any host which mounts the same `$HOME` directory.

This functionality opens a tabbed terminal in the web browser, with support for SCP upload and download.

Browse to http://webshell.ecmwf.int/destination-host/username.

It will work only if you have password-less login (which is automatically done for you on CENTOS Linux VDI beta).

Tip
This works well with `tmux` or `screen` running on the destination host.

There are various ways to initiate SSH from Windows 10, so it depends on your system and your preferences.

...