Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern , way, with support for role-based access control , and single sign-on. It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Support.

Downloading tsh 

The tsh application is required to perform user authentication once every eight hours.

tsh is open source, very portable, and has minimal dependencies.

• Download from the Gravitational website and place into your $PATH 

The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.

User Authentication

Once every eight hours, you will need to refresh your tokens by logging in to the ECMWF website.

First Time

Run tsh, giving the location of our gateway:

tsh login --proxy=shell.ecmwf.int:443

Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.

Subsequent Occasions

tsh login

Configuring servers and workstations for Teleport

At the destination host end, openssh needs to be configured to trust the SSH Certificate that your client is passing.

This can be done at the server level for all users, or by an individual user within their own account.

A user can add the following to their ~/.ssh/authorized_keys file:

cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN85frMTtRzQaVjkHGM3NTOJD/5awWn2i1sAofzlO0PXM1jX/H+4zQKn1+ATUqU+TTU2v3V7fhZm0cWqRrofSLDVC80FkCFqzZRq2E4kMBP5sx4yf/mBKLzJ6luE8eV/3W0V6KEch5TV2ON8ltwFPWjB3D/puPU010UOJH/arlpW5h+n9dAtBCAtVuMYBEz/5uWcKcTJkFe2usQTVmpiEmt/yAx4LfLTFPs2+izLo+N3dBW92HFnKnQftZI5s8ysOENbKmxdWfcxdID5E91oneAvkmEKBeUutlYY3GV9621iuKnlEw6WF8wfQapdozzhSyb+LhqPDiBRotnerhA69/ clustername=tele&type=user

A server administrator can place the same key into /etc/ssh/teleport-user-ca.pub

They would then add the following to their /etc/ssh/sshd_config  file:

AuthorizedKeysFile /etc/ssh/teleport-user-ca.pub .ssh/authorized_keys .ssh/authorized_keys2

Connecting to hosts through Teleport

Your ssh client will need to know about the Teleport gateway (proxy).

For OpenSSH 7.3 or newer, add the following to your configuration (~/.ssh/config):

Host ecmwf-hpcf
  HostName  hpcf-login.ecmwf.int
  ProxyJump tele.ecmwf.int:3023
  ForwardX11 yes

For OpenSSH clients up to 7.2, the following will work instead:

Host ecmwf-hpcf
  HostName hpcf-login.ecmwf.int
  ProxyCommand /usr/bin/ssh -q -p 3023 -W %h:%p tele.ecmwf.int
  ForwardX11 yes

Then, you can connect to the destination host:

ssh ecmwf-hpcf

SCP, X11 and Port Forwarding

scp, X11, and port forwarding will all work through the Teleport gateway.

Of course, such features also need to be permitted on the destination server or workstation.

used to access a number of services at ECMWF, including our Atos HPCF and ECS services. The service provides:

• Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (HPC, etc)
• Re-authentication required only every 12 hours (usually once per working day)
• Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
• X11 and Port forwarding

The single sign-on step is performed using an application called "tsh". After that you use standard ssh or scp to connect to systems inside ECMWF.

Here are the instructions on how to set it up depending on your platform:

• Teleport SSH Access - Mac configuration
• Teleport SSH Access - Linux configuration
• Teleport SSH Access - Windows Terminal and Powershell configuration
• Teleport SSH Access - Windows Subsystem for Linux (WSL)
• Teleport SSH Access - Windows MobaXterm configuration
• Teleport SSH Access - Windows Cygwin configuration