Network Requirements
The Teleport service is configured to use only standard ports 22, 80, and 443, to help with access wherever users are.
...
- The "
tsh login" step uses ports 80 and 443 in order to log in to the service and obtain the client certificate.- initially it contacts shell
jump.ecmwf.inton port 443 (the user is able to see these steps by using the "tsh login --debugswitch"option) - then it opens a local http client on a high port 64xxx, produces a URL link on the localhost for the user to follow (like such as:
http://127.0.0.1:64068/da92794b-9d41-4008-ae6f-83fb77f64486) and waits for a callback fromshelljump.ecmwf.int. - that localhost url URL then redirects the user for OIDC authentication at
https://accounts.ec,wfecmwf.int(on port 443) involving Keycloak linked to user accounts on ActiveDirectory and the ActivIdentity (HID) security token - upon successful authentication, tsh receives a callback from
shell.ecmwf.intand receives the client certificate completing it's its login workflow - from this point on, with the client certificate which is valid for 24 hours, the user is authorised to access hosts behind the teleport proxy either via tsh ssh or OpenSSH workflows
- initially it contacts shell
- Your ssh client uses standard port 22 for server access.
- The Teleport web shell service also uses port 443 on the same host.
| Note |
|---|
The diagram describes the set up for the Teleport instance installed at ECMWF's Data Centre in ReadingBologna. The An instance that will be installed in the Bologna Reading Data Centre will use uses the same ports but different hosts and will be decommissioned at the end of 2022. |
| Gliffy Diagram | ||||
|---|---|---|---|---|
|