Versions Compared

Old Version 2

changes.mady.by.user Xavier Abellan

Saved on

compared with

New Version Current

changes.mady.by.user Steven Deacon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated installation process for tsh as brew does not allow you to change version install

These are the instructions on how to install and configure your Teleport SSH access on Mac to connect to ECMWF services such as the Atos HPCF and ECGATE ECS services.

Table of Contents

Table of Contents
maxLevel1
excludeTable of Contents

Demo

Here is a demonstration on how to set up Teleport to connect to our our Atos HPCF from a Mac. You can find the step by step guide described below.

Multimedia
nameplaceholder.movmac_teleport_setup.mp4

Installing the tsh client

The tsh application is required to perform user authentication.

tsh is open source, very portable, and has minimal dependencies.

If you have homebrew installed in y our mac, then you can get tsh installed easily with:

No Format
brew install teleport

Using package installer

Go to the Alternatively, go to the Teleport website and make sure you download the "tsh client" instead of "Teleport Connect".

Image Modified

You can then run the installer and follow the instructions to 

Authenticating yourself

Once every 12 hours, you will need to refresh your tokens with the tsh command. SSH connections may remain active for longer than 12 hours, but new connections will require re-authentication.

To authenticate yourself, run tsh, giving the location of our Teleport gateway:

tsh login --proxy=jump.ecmwf.int

Your default web browser will open. You should login with your email address, ECMWF password, and then the code from your Time-based One-Time-Password (TOTP) device or the 8-digit one-time passcode from your ActivIdentity (HID) security token if you have not configured your TOTP yet.

Info
titleExisting sessions

If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped.

Info
titleBrowserless authentication

If your computer does not have a browser or cannot display one, you may use the Teleport SSH access - Browserless Login Python Module for the authentication.

If the process is successful, you will see an output such as:

No Format
> Profile URL:        https://jump.ecmwf.int:443
  Logged in as:       user.address@somewhere.com
  Cluster:            jump.ecmwf.int
  Roles:              
  Logins:             ecmwfusername
  Kubernetes:         disabled
  Valid until:        2022-12-13 20:54:18 +0000 GMT [valid for 4h37m0s]
  Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

...

titleSubsequent logins


No Format
Direct link to 13.4.20: https://cdn.teleport.dev/teleport-13.4.20.pkg

You can then run the installer and follow the instructions.

Using brew installer

If you have homebrew installed in your mac, then you can get tsh installed easily with:

Warning

Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future

No Format
brew install teleport



Authenticating yourself

Multiexcerpt include
MultiExcerptNamestandard_tsh_auth
PageWithExcerptTeleport SSH Access - Linux configuration

Once you have logged int at least once, tsh will save your proxy settings so you can skip the extra argument next time: 

...

Setup your SSH config

We strongly recommend setting up all the SSH options needed for the connection instead of passing them on the command line.

...

Edit the file ~/.ssh/config on your computer and add the snippet below. You may create it if it does not exist. You should replace ecmwfusername by your registered ECMWF user and user.address@somewhere.com by your registered email address at ECMWF.

Code Block
languagetext
titleSSH config snippet in ~/.ssh/config
Host jump.ecmwf.int a?-* a??-* hpc-* hpc2020-* ecs-*
  User ecmwfusername 
  IdentityFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com
  CertificateFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub
  HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
  PubkeyAcceptedKeyTypes +ssh-rsa*
  ServerAliveInterval 60
  TCPKeepAlive yes

Host a?-* a??-* hpc-* hpc2020-* ecs-*
  ProxyJump jump.ecmwf.int

...

titleNot sure about username and email?

You can find the right values for those two parameters in the output of the tsh command:

Multiexcerpt include
MultiExcerptNamessh_config
PageWithExcerptTeleport SSH Access - Linux configuration

...

SSH connection

Once you have configured the appropriate settings, any SSH-based tools such as ssh, scp or rsync should work out of the box without any additional options.

...

Visit our HPCF User Guide for further information.

Troubleshooting

If you cannot connect via SSH and cannot manage to understand why, please raise an issue to our ECMWF Support portal and sending us the output of the commands:

No Format
tsh login
ssh -v ecs-login

Optional: Automating the authentication step

Multiexcerpt include
MultiExcerptNameauto_tsh_login
PageWithExcerptTeleport SSH Access - Linux configuration

Troubleshooting

Multiexcerpt include
MultiExcerptNamereport_problem
PageWithExcerptTeleport SSH Access - Linux configuration
You should also include information about your computer (Operating system and teleport version) to help us narrow down the problem.