...
- The "
tsh login
" step uses ports 80 and 443 in order to log in to the service and obtain the client certificate.- initially it contacts shell.ecmwf.int at port 443 (user is able to see these steps by using tsh login --debug optionswitch)
- then it opens a local http client on a high port, produces a link on the localhost for the user to follow (like http://127.0.0.1:64068/da92794b-9d41-4008-ae6f-83fb77f64486) and waits for a callback from shell.ecmwf.int
- that localhost url then redirects user for OIDC authentication at https://accounts.ecmwf.int (port 443) involving Keycloak linked to user accounts on AD and HID token
- upon successful authentication, tsh receives a callback from shell.ecmwf.int and receives the client certificate completing it's login workflow
- from this point on, with a client certificate which is valid for 24 hours, user is authorised to access hosts behind the teleport proxy either via tsh ssh or OpenSSH workflows
- Your ssh client uses standard port 22 for server access.
- The web shell service also uses port 443 on the same host.
...