...
Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:
- shelljump.ecmwf.int based in Reading Bologna Datacentre, best to access ReadingBologna-based hosts (Cray Atos HPCF, ECGATE and others).
- jumpshell.ecmwf.int based in Bologna Reading Datacentre, best to access BolognaReading-based hosts (Atos Cray HPCF, ECGATE and others).
Note |
---|
The Teleport gateway SSH Host Keys are currently: jump.ecmwf.int SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM
shell.ecmwf.int SHA256:ST5P3QlRZdI88o79ozjPdp0+FWTczckLTKzGD2z3xmU
jump.ecmwf.int SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM
|
Tip |
---|
Please report any feedback or issues through the ECMWF Support Portal . |
...
Run tsh
, giving the location of our gateways. For platforms based in ReadingBologna hosts such as the Atos HPCF:
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
tsh login --proxy=shelljump.ecmwf.int:443 |
or for Bologna hosts platforms based in Reading such as the Atos ECGATE or Cray HPCF:
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
tsh login --proxy=jumpshell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, ECMWF password, and then HID (ActivID) Token code.
...
No Format |
---|
# Teleport gateways
# Temporary workaround to allow concurrent usage of both gateways
Host shell.ecmwf.int jump.ecmwf.int
IdentityFile ~/.tsh/keys/%h/<email_address>
CertificateFile ~/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com* |
If you are not sure what email address you need to use, just run the tsh login once and run the following:
...
Code Block |
---|
|
ssh -J username@shellusername@jump.ecmwf.int username@destination-host
ssh -J username@jumpusername@shell.ecmwf.int username@destination-host |
For example, if your username is ab0
and you wish to connect to ecgate
:
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
And if you wish to connect to Atos HPCF:
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
ssh -J ab0@jump.ecmwf.int ab0@hpc-login |
...
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
# For users without HPC access:
ssh -J ab0@jump.ecmwf.int ab0@ecs-login |
And if you wish to connect tp ecgate
:
Code Block |
---|
language | bash |
---|
theme | Midnight |
---|
|
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting The OpenSSH configuration setting for this is named ProxyJump,
e.g. add the following lines in the ~/.ssh/config
file on you client system:
Code Block |
---|
|
# For ecgate and Cray HPCF
Host ecg* cc*
User ab0
ProxyJump ab0@shell.ecmwf.intHost jump.ecmwf.int shell.ecmwf.int
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
# For ecgate and AtosCray HPCF
Host a?-ecg* a??-cc* hpc-* hpc2020-* ecs-*
User
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
ProxyJump ab0@jump ProxyJump shell.ecmwf.int |
See the Legacy Configuration note below if your ssh client is older than 7.3.
If your connection fails after working for some time, it could be because your tokens have expired. You can check them:
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
ProxyJump jump.ecmwf.int |
See the Legacy Configuration note below if your ssh client is older than 7.3.
If your connection fails after working for some time, it could be because your tokens have expired. You can check them:
Code Block |
---|
|
$ tsh status
> Profile URL: https://jump.ecmwf.int:443
Logged in as: firstname.lastname@ecmwf.int
Cluster: jump.ecmwf.int
Roles: *
Logins: ab0 |
Code Block |
---|
|
$ tsh status
> Profile URL: https://shell.ecmwf.int:443
Logged in as: firstname.lastname@ecmwf.int
Cluster: shell.ecmwf.int
Roles: *
Logins: ab0
Valid until: 2020-06-22 23:26:30 +0100 BST [EXPIRED]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
...
Code Block |
---|
|
Host shelljump.ecmwf.int jumpshell.ecmwf.int
HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com*
User ab0
Host ecgate ecg* cc*
User ab0
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com*
Host a?-* a??-* hpc-* hpc2020-* ecs-*
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
ProxyJump jump.ecmwf.int |
Destination Hosts available
The hosts directly available through the Bolgona Teleport gateway (jump.ecmwf.int):
For hosts based in Reading through the Reading Teleport gateway (shell.ecmwf.int) are:
...
Show If |
---|
|
- Linux VDI (both legacy OpenSUSE and production CentOS RHEL 8)
- Physical office workstationsLXC
To access any other host, the ProxyJump feature allows chaining by using a comma, like so: Code Block |
---|
| ssh -J ab0@shell.ecmwf.int,ab0@ecgate ab0@lxc |
You can also set password-less login, as below. |
For hosts based in Bologna through the Bolgona Teleport gateway (jump.ecmwf.int):
Configuring password-less login
Info |
---|
This configuration enables single-hop ssh (using ProxyJump) to other ECMWF hosts. Not required for ECGATE, CCA/CCB or Atos HPCF login nodes , Linux physical workstations and Linux VDI. |
Add the Teleport certificate authority to your ~/.ssh/authorized_keys
file, on the relevant system at ECMWF, e.g. ecgate, cca:
...
Show If |
---|
|
Info |
---|
Only available for ECGATE, CCA/CCB login nodes, Linux physical workstations nodes and Linux VDI. |
|
Hide If |
---|
|
Info |
---|
Only available for ECGATE and CCA/CCB login nodes. |
|
...
Expand |
---|
title | MobaXterm SSH from Windows 10 (ECMWF laptop) |
---|
|
- Install MobaXterm if it is not already on your system
- Download tsh (you may need to instruct antivirus software to ignore the file)
- Start MobaXterm
- Login using tsh (you will always need to specify the --proxy setting)
- Use the following in
$HOME/.ssh/config (MobaXterm's home):
Code Block |
---|
| Host shell.ecmwf.int jump.ecmwf.int
UserKnownHostsFile /drives/c/Users/<windows_user>/.tsh/known_hosts
IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>
CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub
# For ecgate and HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
# For ecgate and Cray HPCF
Host ecg* cc*
User ab0
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
ProxyJump ab0@shell.ecmwf.int
IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>
CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>-ssh/shell.ecmwf.int-cert.pub
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
User ab0
ProxyJump ab0@jump.ecmwf.intHostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
IdentityFile /PubkeyAcceptedKeyTypes +ssh-rsa*
ProxyJump ab0@jump.ecmwf.int
IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>
CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>-ssh/jump.ecmwf.int-cert.pub
|
|
...
Expand |
---|
|
- Download tsh (you may need to instruct antivirus software to ignore the file)
- Login using tsh (you will always need to specify the --proxy setting)
- Use an SSH config similar to the one below, replacing your ECMWF user name and registered emails to your own:
Code Block |
---|
| Host shell.ecmwf.int jump.ecmwf.int
HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
User yourecmwfuser*
User ab0
IdentityFile /cygdrive/c/Users/%u/.tsh/keys/%h/your@email.com
CertificateFile /cygdrive/c/Users/%u/.tsh/keys/%h/your@email.com-ssh/%h-cert.pub
Host ecg* cc*
ProxyJump shell.ecmwf.int
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
User yourecmwfuser
IdentityFile*
User ab0
IdentityFile /cygdrive/c/Users/%u/.tsh/keys/shell.ecmwf.int/your@email.com
CertificateFile /cygdrive/c/Users/%u/.tsh/keys/shell.ecmwf.int/your@email.com-ssh/shell.ecmwf.int-cert.pub
Host a?-* a??-* ecs-* hpc-* hpc2020-*
ProxyJump jump.ecmwf.int
User yourecmwfuserHostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
IdentityFile /cygdrive/c/Users/%u/.tsh/keys/jump.ecmwf.int/your@email.com
CertificateFile /cygdrive/c/Users/%u/.tsh/keys/jump.ecmwf.int/your@email.com-ssh/jump.ecmwf.int-cert.pub |
|
...
Code Block |
---|
|
scp -o ProxyJump=ab0@shellab0@jump.ecmwf.int ab0@ecgateab0@hpc-login:/remote/file/path /local/file/path |
...
Code Block |
---|
|
# ~/.ssh/config file:
Host ecgate
Usera?-* a??-* ecs-* hpc-* hpc2020-*
User ab0
ProxyCommand /usr/bin/ssh -q -W %h:%p ab0@shellab0@jump.ecmwf.int
|
Similar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
...
Recent Fedora Linux distributions (such as Fedora-33) using OpenSSH 8.4p1 no longer accept the "ssh-rsa" signature scheme using the SHA-1 hash algorithm in conjunction with the RSA public key algorithm.
As a workaround for this problem, you may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:for this problem, you may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:
Code Block |
---|
|
# ~/.ssh/config file:
Host jump.ecmwf.int shell.ecmwf.int
IdentityFile ~/.tsh/keys/%h/your@email.com
CertificateFile ~/.tsh/keys/%h/your@email.com-ssh/%h-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
Host a?-* a??-* ecs-* hpc-* hpc2020-*
User ab0
ProxyJump jump.ecmwf.int
IdentityFile |
Code Block |
---|
|
# ~/.ssh/config file:
Host ecgate
User ab0
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.tsh/keys/shelljump.ecmwf.int/firstnameyour@email.lastname@ecmwf.intcom
ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa -i CertificateFile ~/.tsh/keys/shelljump.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p ab0@shellyour@email.com-ssh/jump.ecmwf.int-cert.pub |
Note you would need to replace your your@email.com
by your registered email address at ECMWF and ab0
by your own ECMWF user idSimilar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
Network Requirements
The service is configured to use only standard ports 22, 80, and 443, to help with access wherever users are.
...