...
Warning |
---|
Teleport is the replacement for the ecAccess ECaccess SSH service. Both services are currently available and can be widely used at this point. |
Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:
- shell.ecmwf.int based in Reading Datacentre, best to access Reading-based hosts (Cray HPCF, ECGATE and others).
- jump.ecmwf.int based in Bologna Datacentre, best to access Bologna-based hosts (Atos HPCF)
Note |
---|
The Teleport gateway SSH Host Keys are currently:
|
Tip |
---|
Please report any feedback or issues through the ECMWF Support Portal . |
Table of Contents | ||
---|---|---|
|
Overview
However, once ECMWF's systems are fully operational in the Bologna Data Centre and the Reading-based hosts (the Cray HPCF, ECGATE and others) have been decommissioned, Teleport SSH will be the only way to connect using ssh to ECMWF's Bologna-based hosts (the Atos HPCF and ECGATE Services). The ECaccess service will not support interactive ssh connections to the Bologna-based hosts. |
Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:
- shell.ecmwf.int based in Reading Datacentre, best to access Reading-based hosts (Cray HPCF, ECGATE and others).
- jump.ecmwf.int based in Bologna Datacentre, best to access Bologna-based hosts (Atos HPCF)
Note |
---|
The Teleport gateway SSH Host Keys are currently:
|
Tip |
---|
Please report any feedback or issues through the ECMWF Support Portal . |
Table of Contents | ||
---|---|---|
|
Overview
The Teleport service The Teleport service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
- Re-authentication required only every 12 hours (once per day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- Web-SSH interface for in-browser terminal access, with scp
- X11 and Port forwarding
...
Expand | |||||
---|---|---|---|---|---|
| |||||
|
...
Additional configuration at the local user site may be required to allow connections out. The diagram below shows the TCP ports and destination hosts used.
Note | ||
---|---|---|
Currently the
|
- The "
tsh login
" step uses ports 80 and 443 in order to log in to the service and obtain the client certificate.- initially it contacts shell.ecmwf.int at port 443 (user is able to see these steps by using tsh login --debug switch)
- then it opens a local http client on a high port 64xxx, produces a link on the localhost for the user to follow (like http://127.0.0.1:64068/da92794b-9d41-4008-ae6f-83fb77f64486) and waits for a callback from shell.ecmwf.int
- that localhost url then redirects user for OIDC authentication at https://accounts.ecmwf.int (port 443) involving Keycloak linked to user accounts on AD and HID token
- upon successful authentication, tsh receives a callback from shell.ecmwf.int and receives the client certificate completing it's login workflow
- from this point on, with the client certificate which is valid for 24 hours, user is authorised to access hosts behind the teleport proxy either via tsh ssh or OpenSSH workflows
- Your ssh client uses standard port 22 for server access.
- The web shell service also uses port 443 on the same host.
...