Versions Compared

Old Version 184

changes.mady.by.user Paul Dando

Saved on

compared with

New Version 185

changes.mady.by.user Paul Dando

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: HTTPS_PROXY supported

...

Warning

Teleport is the replacement for the ecAccess ECaccess SSH service. Both services are currently available and can be widely used at this point.

Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:

  • shell.ecmwf.int based in Reading Datacentre, best to access Reading-based hosts (Cray HPCF, ECGATE and others).
  • jump.ecmwf.int based in Bologna Datacentre, best to access Bologna-based hosts (Atos HPCF)
Note

The Teleport gateway SSH Host Keys are currently: 

shell.ecmwf.int SHA256:ST5P3QlRZdI88o79ozjPdp0+FWTczckLTKzGD2z3xmU

jump.ecmwf.int  SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM

Tip

Please report any feedback or issues through the ECMWF Support Portal .

Table of Contents
maxLevel1

Overview

However, once ECMWF's systems are fully operational in the Bologna Data Centre and the Reading-based hosts (the Cray HPCF, ECGATE and others) have been decommissioned, Teleport SSH will be the only way to connect using ssh to ECMWF's Bologna-based hosts (the Atos HPCF and ECGATE Services).  The ECaccess service will not support interactive ssh connections to the Bologna-based hosts. 

Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:

  • shell.ecmwf.int based in Reading Datacentre, best to access Reading-based hosts (Cray HPCF, ECGATE and others).
  • jump.ecmwf.int based in Bologna Datacentre, best to access Bologna-based hosts (Atos HPCF)
Note

The Teleport gateway SSH Host Keys are currently: 

shell.ecmwf.int SHA256:ST5P3QlRZdI88o79ozjPdp0+FWTczckLTKzGD2z3xmU

jump.ecmwf.int  SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM


Tip

Please report any feedback or issues through the ECMWF Support Portal .


Table of Contents
maxLevel1

Overview

The Teleport service The Teleport service provides:

  • Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
  • Re-authentication required only every 12 hours (once per day)
  • Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
  • Web-SSH interface for in-browser terminal access, with scp
  • X11 and Port forwarding

...

Expand
titleMobaXterm SSH from Windows 10 (ECMWF laptop)
  1. Install MobaXterm if it is not already on your system
  2. Download tsh (you may need to instruct antivirus software to ignore the file)
  3. Start MobaXterm
  4. Login using tsh (you will always need to specify the --proxy setting)
  5. Use the following in $HOME/.ssh/config (MobaXterm's home):
Code Block
languagebash
Host shell.ecmwf.int jump.ecmwf.int
    UserKnownHostsFile /drives/c/Users/<windows_user>/.tsh/known_hosts
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub

# For ecgate and Cray HPCF
Host ecg* cc*
    User ab0
    HostKeyAlgorithms +ssh-rsa-cert*
    PubkeyAcceptedKeyTypes +ssh-rsa-cert*
    ProxyJump ab0@shell.ecmwf.int
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>-ssh/shell.ecmwf.int-cert.pub
  
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
    User ab0
    ProxyJump ab0@jump.ecmwf.int
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>-ssh/jump.ecmwf.int-cert.pub


...

Additional configuration at the local user site may be required to allow connections out. The diagram below shows the TCP ports and destination hosts used.

Note

Currently the tsh application does not Versions 8.3.5 and newer of the tsh application support use of proxies (HTTP_PROXY , etc) and the developers are actively working on this for a forthcoming release.
Workaround options are to use a TCP proxy wrapper app, such as proxychains-ng, or to make use of the Web Shell facility..  However, if the HTTPS_PROXY , etc, environment variable is set, tsh  will also attempt to make an ssh connection on port 22 using the proxy.  If your proxy does not support ssh connections to port 22 then set:

No Format
$ export no_proxy="shell.ecmwf.int:22,jump.ecmwf.int:22"


  • The "tsh login" step uses ports 80 and 443 in order to log in to the service and obtain the client certificate. 
    • initially it contacts shell.ecmwf.int at port 443 (user is able to see these steps by using tsh login --debug switch)
    • then it opens a local http client on a high port 64xxx, produces a link on the localhost for the user to follow (like http://127.0.0.1:64068/da92794b-9d41-4008-ae6f-83fb77f64486) and waits for a callback from shell.ecmwf.int
    • that localhost url then redirects user for OIDC authentication at https://accounts.ecmwf.int (port 443) involving Keycloak linked to user accounts on AD and HID token
    • upon successful authentication, tsh receives a callback from shell.ecmwf.int and receives the client certificate completing it's login workflow
    • from this point on, with the client certificate which is valid for 24 hours, user is authorised to access hosts behind the teleport proxy either via tsh ssh or OpenSSH workflows
  • Your ssh client uses standard port 22 for server access.
  • The web shell service also uses port 443 on the same host.

...