Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern , way, with support for role-based access control , and single sign-on. It can be is used as a replacement for the ecAccess SSH service, and is being evaluated by the CD Apps team and User Support.
Understanding ecAccess
A user outside of ECMWF wishes to ssh to one of the Centre's clusters, batch farms, or workstations. This can be done by running:
| Code Block |
|---|
ssh sy0@ecaccess.ecmwf.int |
The user is prompted for a password, which happens to be the one-time code from an ActivID token.
| Info |
|---|
ecAccess is not aware of the use of multi-factor authentication (ActivID token). It sees only a simple username and password and delegates authentication to another service. |
After authenticating to ecAccess, the user is prompted for the destination host:
| Code Block |
|---|
[cca-login,ecgate]
? |
In fact, the user can enter any ECMWF server or workstation name.
The destination server or workstation must run the ecauth binary which is installed "setuid root" (which enables switching to any user).
ecauth receives the TCP/IP connection from ecAccess and spawns a shell as the original user (sy0, in this example).
Understanding Teleport
Teleport functions somewhat like a combination of ecAccess, and the SSH Proxy service which staff use to connect outside of ECMWF from within the Centre.
Clients outside of the Centre use the openssh ProxyCommand or ProxyJump settings to ask their client to connect to the destination server or workstation via the Teleport gateway.
...
to access a number of services at ECMWF, including our Atos HPCF and ECS services. The service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (HPC, etc)
- Re-authentication required only every 12 hours (usually once per working day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- X11 and Port forwarding
The single sign-on step is performed using an application called "tsh". After that you use standard ssh or scp to connect to systems inside ECMWF.
Here are the instructions on how to set it up depending on your platform:
- Teleport SSH Access - Mac configuration
- Teleport SSH Access - Linux configuration
- Teleport SSH Access - Windows Terminal and Powershell configuration
- Teleport SSH Access - Windows Subsystem for Linux (WSL)
- Teleport SSH Access - Windows MobaXterm configuration
- Teleport SSH Access - Windows Cygwin configuration
| Info | ||
|---|---|---|
| ||
If you are a system administrator setting up access to teleport from your organisation, have a look at the Teleport SSH Access - Network requirements for additional information on how this system works and its network requirements. |
| Warning |
|---|
Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future |