Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern , way, with support for role-based access control , and single sign-on. It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Services.
Warning |
---|
This service is under development. Please continue to use the existing ECAccess service! |
Table of Contents | ||
---|---|---|
|
Overview
The Teleport used to access a number of services at ECMWF, including our Atos HPCF and ECS services. The service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
- Web single sign-on using ECMWF's website and the HID token
- Eight hour sessions allowing multiple connections between re-authenticationRe-authentication required only every 12 hours (usually once per working day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- X11 and Port forwarding
The single sign-on step is performed using an application called "tsh
", every eight hours.After . After that you use standard ssh or scp to connect to systems inside ECMWF.
Downloading tsh
The tsh
application is required to perform user authentication once every eight hours.
tsh
is open source, very portable, and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.
MacOS users can also use homebrew for installation (brew install teleport
).
Note |
---|
We are still working on describing the configuration for Windows clients. |
User Authentication
Once every eight hours, you will need to refresh your tokens by logging in to the ECMWF website.
Tip |
---|
SSH connections can remain active for longer than eight hours, but new ones will require re-authentication. |
First Time
Run tsh
, giving the location of our gateway:
Code Block | ||||
---|---|---|---|---|
| ||||
tsh login --proxy=shell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.
Tip |
---|
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
Subsequent Occasions
Code Block | ||||
---|---|---|---|---|
| ||||
tsh login |
Connecting to hosts through the gateway
OpenSSH 7.3 or later has a simple command line option to connect via our gateway (shell.ecmwf.int
) to the destination-host
:
Code Block | ||
---|---|---|
| ||
ssh -J username@shell.ecmwf.int username@destination-host |
For example, if your username is ab0
and you wish to connect to ecgate
:
Code Block | ||||
---|---|---|---|---|
| ||||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting for this is named ProxyJump
.
See the Legacy Configuration note below if your ssh client is older than 7.3.
Destination Hosts available
Destination hosts available through the Teleport gateway are:
- Linux VDI (both legacy OpenSUSE and CENTOS 8 beta)
- Physical office workstations
- ecGate
- HPC2020 TEMS
Configuring passwordless login
With the initial configuration you may be prompted for a password at the destination-host
.
For login without a password, add the Teleport certificate authority to your ~/.ssh/authorized_keys
file:
Code Block | ||||
---|---|---|---|---|
| ||||
curl -fs https://nexus.ecmwf.int/repository/internal-teleport-configs/prod/teleport_user_ca.pub >> ~/.ssh/authorized_keys |
Tip |
---|
This configuration will allow access to any host which mounts the same |
Other Notes
SCP, X11, Agent, and Port Forwarding
scp, agent, and port forwarding will work through the Teleport gateway.
Note |
---|
X11 forwarding will work in a couple of months when we have an update from the vendor. |
Legacy Configuration
For OpenSSH clients older than 7.3, the following will work in your ~/.ssh/config
file:
Code Block | ||
---|---|---|
| ||
Host ecgate
Username ab0
ProxyCommand /usr/bin/ssh -q -W %h:%p shell.ecmwf.int
|
Difficult client environments
You might not be able to download and run tsh
, or access our web login service, from where you wish to use ssh.
Instead you can use (or copy) the identity file which tsh
stores in $HOME
:
Code Block | ||
---|---|---|
| ||
# ~/.ssh/config file:
Host ecgate
Username ab0
IdentityFile ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int
ProxyCommand /usr/bin/ssh -i ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p shell.ecmwf.int |
...
Here are the instructions on how to set it up depending on your platform:
- Teleport SSH Access - Mac configuration
- Teleport SSH Access - Linux configuration
- Teleport SSH Access - Windows Terminal and Powershell configuration
- Teleport SSH Access - Windows Subsystem for Linux (WSL)
- Teleport SSH Access - Windows MobaXterm configuration
- Teleport SSH Access - Windows Cygwin configuration
Info | ||
---|---|---|
| ||
If you are a system administrator setting up access to teleport from your organisation, have a look at the Teleport SSH Access - Network requirements for additional information on how this system works and its network requirements. |
Warning |
---|
Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future |