Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on.
| Warning |
|---|
Teleport is meant to be the future replacement for the ecAccess SSH service. Both services are currently operational available and can be widely used at this point, but note that only Teleport will be is available for the new data centre in Bologna. |
| Note |
|---|
The Teleport gateway SSH Host Key is currently: |
| Tip |
|---|
Please report any feedback or issues through the ECMWF Support Portal . |
| Table of Contents | ||
|---|---|---|
|
Overview
The Teleport service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
- Re-authentication required only every 12 hours (once per day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- Web-SSH interface for in-browser terminal access, with scp
- X11 and Port forwarding
The single sign-on step is performed using an application called "tsh", every 12 hours.
After that you use standard ssh or scp to connect to systems inside ECMWF.
Alternatively you can have simple terminal access in a web browser.
Downloading tsh
The tsh application is required to perform user authentication once every 12 hours.
tsh is open source, very portable, and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as Windows 64-bit and a signed package for MacOS.
MacOS users can also use homebrew for installation (brew install teleport).
User Authentication
Once every 12 hours, you will need to refresh your tokens with the tsh command, through your web browser.
| Info |
|---|
SSH connections can remain active for longer than 12 hours, but new ones will require re-authentication. |
First Time
Run tsh, giving the location of our gateway:
| Code Block | ||||
|---|---|---|---|---|
| ||||
tsh login --proxy=shell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, ECMWF password, and then HID (ActivID) Token code.
| Info |
|---|
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
Subsequent Occasions
Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:
- shell.ecmwf.int based in Reading Datacentre, best to access Reading-based hosts (Cray HPCF, ECGATE and others).
- jump.ecmwf.int based in Bologna Datacentre, best to access Bologna-based hosts (Atos HPCF)
| Note |
|---|
The Teleport gateway SSH Host Keys are currently:
|
| Tip |
|---|
Please report any feedback or issues through the ECMWF Support Portal . |
| Table of Contents | ||
|---|---|---|
|
Overview
The Teleport service provides:
- Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
- Re-authentication required only every 12 hours (once per day)
- Integration with standard tools such as the OpenSSH ssh client, scp, and ssh-agent
- Web-SSH interface for in-browser terminal access, with scp
- X11 and Port forwarding
The single sign-on step is performed using an application called "tsh", every 12 hours.
After that you use standard ssh or scp to connect to systems inside ECMWF.
Alternatively you can have simple terminal access in a web browser.
Downloading tsh
The tsh application is required to perform user authentication once every 12 hours.
tsh is open source, very portable, and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as Windows 64-bit and a signed package for MacOS.
MacOS users can also use homebrew for installation (brew install teleport).
User Authentication
Once every 12 hours, you will need to refresh your tokens with the tsh command, through your web browser.
| Info |
|---|
SSH connections can remain active for longer than 12 hours, but new ones will require re-authentication. |
First Time
Run tsh, giving the location of our gateways. For platforms based in Reading:
| Code Block | ||||
|---|---|---|---|---|
| ||||
tsh login --proxy=shell.ecmwf.int:443 |
or for Bologna hosts such as the Atos HPCF:
| Code Block | ||||
|---|---|---|---|---|
| ||||
tsh login --proxy=jump.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, ECMWF password, and then HID (ActivID) Token code.
| Info |
|---|
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
Subsequent Occasions
if you only use one of the gateways, on subsequent occasions you may just do:
| Code Block | ||||
|---|---|---|---|---|
| ||||
tsh login |
If you use both, you will need to specify which one you want to login, otherwise it will just pick the last one used.
Connecting to hosts through the gateway
| Info |
|---|
Windows users should skip to our Guide for Windows SSH to ECMWF. |
OpenSSH 7.3 or later has a simple command line option to connect via our gateway to the destination-host:
| Code Block | ||
|---|---|---|
| ||
ssh -J username@shell.ecmwf.int username@destination-host
ssh -J username@jump.ecmwf.int username@destination-host |
For example, if your username is ab0 and you wish to connect to ecgate:
| Code Block | ||||
|---|---|---|---|---|
| ||||
tsh login |
Connecting to hosts through the gateway
| Info |
|---|
Windows users should skip to our Guide for Windows SSH to ECMWF. |
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
And if you wish to connect to Atos HPCF:
| Code Block | ||||
|---|---|---|---|---|
| ||||
ssh -J ab0@jump.ecmwf.int ab0@aa-login |
The OpenSSH configuration setting for this is named ProxyJump, e.g. add the following lines in the ~/.ssh/conf file on you client systemOpenSSH 7.3 or later has a simple command line option to connect via our gateway (shell.ecmwf.int) to the destination-host:
| Code Block | ||
|---|---|---|
| ||
ssh -J username@shell.ecmwf.int username@destination-host |
For example, if your username is ab0 and you wish to connect to ecgate:
| Code Block | ||||
|---|---|---|---|---|
| ||||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting for this is named ProxyJump:
| ||
# For ecgate and Cray HPCF
Host ecg* cc*
User ab0
ProxyJump shell.ecmwf.int
# For Atos HPCF
Host a?-* a??-* ecs-login | ||
| Code Block | ||
|---|---|---|
| ||
Host ecgate User ab0 ProxyJump ab0@shelljump.ecmwf.int |
See the Legacy Configuration note below if your ssh client is older than 7.3.
...
The hosts directly available through the Reading Teleport gateway (shell.ecmwf.int) are:
- ECGATE (interactive node only)
- CCA and CCB login nodes
| Show If | |||||
|---|---|---|---|---|---|
| |||||
To access any other host, the
You can also set password-less login, as below. |
For hosts based in Bologna through the Bolgona Teleport gateway (jump.ecmwf.int):
- Atos HPCF, including ECS
Configuring password-less login
| Info |
|---|
This configuration enables single-hop ssh (using ProxyJump) to other ECMWF hosts. Not required for ECGATE, CCA/CCB or Atos HPCF login nodes, Linux physical workstations and Linux VDI. |
...
| Code Block | ||
|---|---|---|
| ||
# ~/.ssh/config file: Host ecgate User ab0 ProxyCommand /usr/bin/ssh -q -W %h:%p ab0@shellab0@shell.ecmwf.int |
Similar setup can be configured to use jump.ecmwf.int
...
for Atos HPCF and other Bologna-based hosts.
Difficult client environments
...
This is a good way to access Teleport credentials via a shared file system from any host.
Similar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
Even more difficult client environments
...
| Code Block | ||
|---|---|---|
| ||
# ~/.ssh/config file: Host ecgate User ab0 PubkeyAcceptedKeyTypes +ssh-rsa IdentityFile ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p ab0@shell.ecmwf.int |
Similar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
Network Requirements
The service is configured to use only standard ports 22, 80, and 443, to help with access wherever users are.
...