Versions Compared

Old Version 25

changes.mady.by.user Xavier Abellan

Saved on

compared with

New Version Current

changes.mady.by.user Xavier Abellan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed reference to ActivID Tokens

These are the instructions on how to install and configure your Teleport SSH access on Linux to connect to ECMWF services such as the Atos HPCF and ECGATE ECS services

Table of Contents

Table of Contents
maxLevel1
excludeTable of Contents

...

Multiexcerpt
MultiExcerptNametsh_linux_install

The tsh application is required to perform user authentication.

tsh is open source, very portable, and has minimal dependencies.

Go to the Teleport website and follow the instructions to install it. Typically, if you have administrator permissions on your computer you can install it with:

No Format
curl https://goteleport.com/static/install.sh | bash -s <teleport_version>


Tip
titleNo sudo or administrator privileges?

Click on "Alternative download options" where you may download and extract the corresponding tarball for your computer architecture, and place the tsh executable somewhere in your PATH


Warning

Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future


Authenticating yourself

Multiexcerpt
MultiExcerptNamestandard_tsh_auth

Once every 12 hours, you will need to refresh your tokens with the tsh command. SSH connections may remain active for longer than 12 hours, but new connections will require re-authentication.

To authenticate yourself, run tsh, giving the location of our Teleport gateway:

tsh login --proxy=jump.ecmwf.int

Your default web browser will open. You should login with your email address, ECMWF password, and then the code from your Time-based One-Time-Password (TOTP) device or the 8-digit one-time passcode from your ActivIdentity (HID) security token if you have not configured your TOTP yet.

Info
titleExisting sessions

If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped.


Info
titleBrowserless authentication

If your computer does not have a browser or cannot display one, you may use the Teleport SSH access - Browserless Login Python Module for the authentication.

If the process is successful, you will see an output such as:

No Format
> Profile URL:        https://jump.ecmwf.int:443
  Logged in as:       user.address@somewhere.com
  Cluster:            jump.ecmwf.int
  Roles:              
  Logins:             ecmwfusername
  Kubernetes:         disabled
  Valid until:        2022-12-13 20:54:18 +0000 GMT [valid for 4h37m0s]
  Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty


Tip
titleSubsequent logins

Once you have logged int at least once, tsh will save your proxy settings so you can skip the extra argument next time: 

No Format
tsh login



...

Multiexcerpt
MultiExcerptNamessh_config


Code Block
languagetext
titleSSH config snippet
Host jump.ecmwf.int a?-* a??-* hpc-* hpc2020-* ecs-*
  User ecmwfusername 
   IdentityFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com
  CertificateFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub
  HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
  PubkeyAcceptedKeyTypes +ssh-rsa*
  ServerAliveInterval 60
  TCPKeepAlive yes

Host a?-* a??-* hpc-* hpc2020-* ecs-*
  ProxyJump jump.ecmwf.int


Tip
titleNot sure about username and email?

You can find the right values for those two parameters in the output of the tsh command:

Panelnoformat
% tsh login


> Profile URL: https://jump.ecmwf.int:443


Logged in as: user.address@somewhere.com


Cluster: jump.ecmwf.int


Roles:

 
Logins: ecmwfusername


Kubernetes: disabled


Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 3h56m0s]


Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty  



Tip
titleVSCode and Remote SSH

If you are using Visual Studio Code with the Remote SSH extension, it will not recognise hosts with wildcards as defined in the previous SSH config file.

You may add append an explicit entry for the desired hosts in your ssh config file:

No Format
Host ecs-login hpc-login



...

No Format
Host a?-* a??-* hpc-* hpc2020-* ecs-*
  ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa* -oHostKeyAlgorithms=+ssh-rsa*,rsa-sha2-512 -i ~/.tsh/keys/jump.ecmwf.int/user.address@somwhere.com -oCertificateFile=~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub -W %h:%p ecmwfusername@jump.ecmwf.int

...

Multiexcerpt
MultiExcerptNamereport_problem

If you cannot login to teleport or connect via SSH and you are not able to understand why, please raise an issue to our ECMWF Support portal and sending us the output of the commands:

No Format
tsh version
tsh login --proxy=jump.ecmwf.int
ssh -V
ssh -v ecs-login

You should also include information about your computer (Operating system) to help us narrow down the problem.

...