Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern , way, with support for role-based access control , and single sign-on. It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Support.
| Warning |
|---|
This service is under development and not widely accessible. Please continue to use the existing ECAccess service! |
Please read all the introductory "understanding" sections (even if you think you know them), so that the presentation of Teleport makes sense in context.
| Table of Contents |
|---|
| Table of Contents |
|---|
| Warning |
|---|
This service is under development and not widely accessible. Please continue to use the existing ECAccess SSH service. |
Downloading tsh
The tsh application is required to perform the single sign-on step once per day.
As tsh is written in Go, it is very portable and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as MacOS and Windows 64-bit.
Initial login
Run tsh, giving the location of our Teleport gateway:
| Code Block | ||
|---|---|---|
| ||
tsh login --proxy=tele.ecmwf.int |
| Tip |
|---|
Subsequent logins can omit the |
Your default web browser will open and you should login with your email address and token code workstation password.
| Warning |
|---|
The web login requires our workstation credentials, not the one-time password of ActivID tokens. This will be changed soon. |
To see the credentials that tsh was given, their attributes and remaining lifetime, run:
| Code Block | ||
|---|---|---|
| ||
$ tsh status
> Profile URL: https://tele.ecmwf.int:3080
Logged in as: oliver.gorwits@ecmwf.int
Cluster: tele
Roles: *
Logins: sy0
Valid until: 2019-11-13 17:10:03 +0000 GMT [valid for 55m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
| Note |
|---|
During testing phase, we are only issuing one-hour credentials. Normally it would be for a working day. |
Configuring servers and workstations for Teleport
At the destination host end, openssh needs to be configured to trust the SSH Certificate that your client is passing.
This can be done at the server level for all users, or by an individual user within their own account.
| Info |
|---|
If a user configures this for their own account, it will potentially allow access to any other system using the same |
A user can add the following to their ~/.ssh/authorized_keys file:
| Code Block | ||
|---|---|---|
| ||
cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN85frMTtRzQaVjkHGM3NTOJD/5awWn2i1sAofzlO0PXM1jX/H+4zQKn1+ATUqU+TTU2v3V7fhZm0cWqRrofSLDVC80FkCFqzZRq2E4kMBP5sx4yf/mBKLzJ6luE8eV/3W0V6KEch5TV2ON8ltwFPWjB3D/puPU010UOJH/arlpW5h+n9dAtBCAtVuMYBEz/5uWcKcTJkFe2usQTVmpiEmt/yAx4LfLTFPs2+izLo+N3dBW92HFnKnQftZI5s8ysOENbKmxdWfcxdID5E91oneAvkmEKBeUutlYY3GV9621iuKnlEw6WF8wfQapdozzhSyb+LhqPDiBRotnerhA69/ clustername=tele&type=user |
A server administrator can place the same key into /etc/ssh/teleport-user-ca.pub
They would then add the following to their /etc/ssh/sshd_config file:
| Code Block |
|---|
AuthorizedKeysFile /etc/ssh/teleport-user-ca.pub .ssh/authorized_keys .ssh/authorized_keys2 |
| Tip |
|---|
Having a dedicated file for the trusted key means that it can easily be rotated using configuration automation. |
Connecting to hosts through Teleport
Your ssh client will need to know about the Teleport gateway (proxy).
For OpenSSH 7.3 or newer, add the following to your configuration (~/.ssh/config):
| Code Block | ||
|---|---|---|
| ||
Host ecmwf-hpcf
HostName hpcf-login.ecmwf.int
ProxyJump tele.ecmwf.int:3023
ForwardX11 yes |
For OpenSSH clients up to 7.2, the following will work instead:
| Code Block | ||
|---|---|---|
| ||
Host ecmwf-hpcf
HostName hpcf-login.ecmwf.int
ProxyCommand /usr/bin/ssh -q -p 3023 -W %h:%p tele.ecmwf.int
ForwardX11 yes |
| Info |
|---|
|
| Info |
|---|
hpcf-login.ecmwf.int is the host name of whatever destination server or workstation you wish to reach. |
Then, you can connect to the destination host:
| Code Block | ||
|---|---|---|
| ||
ssh ecmwf-hpcf |
| Tip |
|---|
No password will be required. |
SCP, X11 and Port Forwarding
scp, X11, and port forwarding will all work through the Teleport gateway.
Of course, such features also need to be permitted on the destination server or workstation.
used to access a number of services at ECMWF, including our Atos HPCF and ECS services. The service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (HPC, etc)
- Re-authentication required only every 12 hours (usually once per working day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- X11 and Port forwarding
The single sign-on step is performed using an application called "tsh". After that you use standard ssh or scp to connect to systems inside ECMWF.
Here are the instructions on how to set it up depending on your platform:
- Teleport SSH Access - Mac configuration
- Teleport SSH Access - Linux configuration
- Teleport SSH Access - Windows Terminal and Powershell configuration
- Teleport SSH Access - Windows Subsystem for Linux (WSL)
- Teleport SSH Access - Windows MobaXterm configuration
- Teleport SSH Access - Windows Cygwin configuration
| Info | ||
|---|---|---|
| ||
If you are a system administrator setting up access to teleport from your organisation, have a look at the Teleport SSH Access - Network requirements for additional information on how this system works and its network requirements. |
| Warning |
|---|
Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future |
| Tip |
See the |