Versions Compared

Old Version 187

changes.mady.by.user Xavier Abellan

Saved on

compared with

New Version 188

changes.mady.by.user Xavier Abellan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: make jump more prominent over shell, add new settings to ssh configs

...

Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:

  • shelljump.ecmwf.int based in Reading Bologna Datacentre, best to access ReadingBologna-based hosts (Cray Atos HPCF, ECGATE and others).
  • jumpshell.ecmwf.int based in Bologna Reading Datacentre, best to access BolognaReading-based hosts (Atos Cray HPCF, ECGATE and others).
Note

The Teleport gateway SSH Host Keys are currently: 

jump.ecmwf.int  SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM

shell.ecmwf.int SHA256:ST5P3QlRZdI88o79ozjPdp0+FWTczckLTKzGD2z3xmU

jump.ecmwf.int  SHA256:yAJzmK5nCp9R0TIxkfdaLjJt3uf3S0QkxjGX18Ws5EM


Tip

Please report any feedback or issues through the ECMWF Support Portal .

...

Run tsh, giving the location of our gateways. For platforms based in ReadingBologna hosts such as the Atos HPCF:

Code Block
languagebash
themeMidnight
tsh login --proxy=shelljump.ecmwf.int:443

or for Bologna hosts platforms based in Reading such as the Atos ECGATE or Cray HPCF:

Code Block
languagebash
themeMidnight
tsh login --proxy=jumpshell.ecmwf.int:443

Your default web browser will open and you should login with your email address, ECMWF password, and then HID (ActivID) Token code.

...

No Format
# Teleport gateways
# Temporary workaround to allow concurrent usage of both gateways
Host shell.ecmwf.int jump.ecmwf.int
    IdentityFile ~/.tsh/keys/%h/<email_address>
    CertificateFile ~/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub   
    HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
    PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com*

If you are not sure what email address you need to use, just run the tsh login once and run the following:

...

Code Block
languageyml
ssh -J username@shellusername@jump.ecmwf.int username@destination-host
ssh -J username@jumpusername@shell.ecmwf.int username@destination-host

For example, if your username is ab0 and you wish to connect to ecgate:

Code Block
languagebash
themeMidnight
ssh -J ab0@shell.ecmwf.int ab0@ecgate

And if you wish to connect to Atos HPCF:

Code Block
languagebash
themeMidnight
ssh -J ab0@jump.ecmwf.int ab0@hpc-login

...

Code Block
languagebash
themeMidnight
# For users without HPC access:
ssh -J ab0@jump.ecmwf.int ab0@ecs-login

And if you wish to connect tp ecgate:

Code Block
languagebash
themeMidnight
ssh -J ab0@shell.ecmwf.int ab0@ecgate

The OpenSSH configuration setting The OpenSSH configuration setting for this is named ProxyJump, e.g. add the following lines in the ~/.ssh/config file on you client system:

Code Block
languagebash
# For ecgate and Cray HPCF
Host ecg* cc* 
  User ab0
  ProxyJump ab0@shell.ecmwf.intHost jump.ecmwf.int shell.ecmwf.int 
     HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa* 
    User ab0  

# For ecgate and AtosCray HPCF
Host a?-ecg* a??-cc* hpc-* hpc2020-* ecs-*
  User
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa* 
    User ab0
  ProxyJump ab0@jump ProxyJump shell.ecmwf.int

See the Legacy Configuration note below if your ssh client is older than 7.3.

If your connection fails after working for some time, it could be because your tokens have expired. You can check them:



# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa* 
    User ab0
    ProxyJump jump.ecmwf.int

See the Legacy Configuration note below if your ssh client is older than 7.3. 

If your connection fails after working for some time, it could be because your tokens have expired. You can check them:

Code Block
languagebash
$ tsh status
> Profile URL:  https://jump.ecmwf.int:443
  Logged in as: firstname.lastname@ecmwf.int
  Cluster:      jump.ecmwf.int
  Roles:        *
  Logins:       ab0  
Code Block
languagebash
$ tsh status
> Profile URL:  https://shell.ecmwf.int:443
  Logged in as: firstname.lastname@ecmwf.int
  Cluster:      shell.ecmwf.int
  Roles:        *
  Logins:       ab0
  Valid until:  2020-06-22 23:26:30 +0100 BST [EXPIRED]
  Extensions:   permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

...

Code Block
languagebash
Host shelljump.ecmwf.int jumpshell.ecmwf.int 
    HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
    PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com*  
    User ab0 

Host ecgate ecg* cc*   
    User ab0    
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com*

Host a?-* a??-* hpc-* hpc2020-* ecs-*
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa* 
    User ab0
    ProxyJump jump.ecmwf.int

Destination Hosts available

The hosts directly available  through the Bolgona Teleport gateway (jump.ecmwf.int):

  • Atos HPCF, including ECS

For hosts based in Reading through the Reading Teleport gateway (shell.ecmwf.int) are:

...

Show If
groupecmwf
  • Linux VDI (both legacy OpenSUSE and production CentOS RHEL 8)
  • Physical office workstationsLXC

To access any other host, the ProxyJump feature allows chaining by using a comma, like so:

Code Block
languagebash
ssh -J ab0@shell.ecmwf.int,ab0@ecgate ab0@lxc

You can also set password-less login, as below.

For hosts based in Bologna through the Bolgona Teleport gateway (jump.ecmwf.int):

  • Atos HPCF, including ECS


Configuring password-less login

Info

This configuration enables single-hop ssh (using ProxyJump) to other ECMWF hosts.

Not required for ECGATE, CCA/CCB or Atos HPCF login nodes , Linux physical workstations and Linux VDI.

Add the Teleport certificate authority to your ~/.ssh/authorized_keys file, on the relevant system at ECMWF, e.g. ecgate, cca:

...

Show If
groupecmwf


Info

Only available for ECGATE, CCA/CCB login nodes, Linux physical workstations nodes and Linux VDI.



Hide If
groupecmwf


Info

Only available for ECGATE and CCA/CCB login nodes.


...

Expand
titleMobaXterm SSH from Windows 10 (ECMWF laptop)
  1. Install MobaXterm if it is not already on your system
  2. Download tsh (you may need to instruct antivirus software to ignore the file)
  3. Start MobaXterm
  4. Login using tsh (you will always need to specify the --proxy setting)
  5. Use the following in $HOME/.ssh/config (MobaXterm's home):
Code Block
languagebash
Host shell.ecmwf.int jump.ecmwf.int
    UserKnownHostsFile /drives/c/Users/<windows_user>/.tsh/known_hosts
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub

# For ecgate and  HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*   

# For ecgate and Cray HPCF
Host ecg* cc*
    User ab0
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa* 
      ProxyJump ab0@shell.ecmwf.int
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/shell.ecmwf.int/<email_address>-ssh/shell.ecmwf.int-cert.pub
  
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
    User ab0
    ProxyJump ab0@jump.ecmwf.intHostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    IdentityFile /PubkeyAcceptedKeyTypes +ssh-rsa*  
    ProxyJump ab0@jump.ecmwf.int
    IdentityFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>
    CertificateFile /drives/c/Users/<windows_user>/.tsh/keys/jump.ecmwf.int/<email_address>-ssh/jump.ecmwf.int-cert.pub


...

Expand
titleCygwin on Windows
  1. Download tsh (you may need to instruct antivirus software to ignore the file)
  2. Login using tsh (you will always need to specify the --proxy setting)
  3. Use an SSH config similar to the one below, replacing your ECMWF user name and registered emails to your own:
Code Block
languagebash
Host shell.ecmwf.int jump.ecmwf.int
     HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512
    PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
    User yourecmwfuser*
    User ab0     
    IdentityFile /cygdrive/c/Users/%u/.tsh/keys/%h/your@email.com
    CertificateFile /cygdrive/c/Users/%u/.tsh/keys/%h/your@email.com-ssh/%h-cert.pub

Host ecg* cc*
    ProxyJump shell.ecmwf.int
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
    User yourecmwfuser
    IdentityFile*
    User ab0     
    IdentityFile /cygdrive/c/Users/%u/.tsh/keys/shell.ecmwf.int/your@email.com
    CertificateFile /cygdrive/c/Users/%u/.tsh/keys/shell.ecmwf.int/your@email.com-ssh/shell.ecmwf.int-cert.pub  

Host a?-* a??-* ecs-* hpc-* hpc2020-*
    ProxyJump jump.ecmwf.int
    User yourecmwfuserHostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User ab0
    IdentityFile /cygdrive/c/Users/%u/.tsh/keys/jump.ecmwf.int/your@email.com
    CertificateFile /cygdrive/c/Users/%u/.tsh/keys/jump.ecmwf.int/your@email.com-ssh/jump.ecmwf.int-cert.pub


...

Code Block
languagebash
scp -o ProxyJump=ab0@shellab0@jump.ecmwf.int ab0@ecgateab0@hpc-login:/remote/file/path /local/file/path

...

Code Block
languagebash
# ~/.ssh/config file: 
Host ecgate
  Usera?-* a??-* ecs-* hpc-* hpc2020-*
  User ab0
  ProxyCommand /usr/bin/ssh -q -W %h:%p ab0@shellab0@jump.ecmwf.int

Similar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.

...

Recent Fedora Linux distributions (such as Fedora-33) using OpenSSH 8.4p1 no longer accept the "ssh-rsa" signature scheme using the SHA-1 hash algorithm in conjunction with the RSA public key algorithm.

As a workaround for this problem, you  may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:for this problem, you may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:

Code Block
languageyml
# ~/.ssh/config file: 
Host jump.ecmwf.int shell.ecmwf.int
    IdentityFile ~/.tsh/keys/%h/your@email.com
    CertificateFile ~/.tsh/keys/%h/your@email.com-ssh/%h-cert.pub
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User ab0

Host a?-* a??-* ecs-* hpc-* hpc2020-*
    User ab0
    ProxyJump jump.ecmwf.int
    IdentityFile
Code Block
languageyml
# ~/.ssh/config file:
Host ecgate
  User          ab0
  PubkeyAcceptedKeyTypes +ssh-rsa
  IdentityFile	~/.tsh/keys/shelljump.ecmwf.int/firstnameyour@email.lastname@ecmwf.intcom
  ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa -i    CertificateFile ~/.tsh/keys/shelljump.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p ab0@shellyour@email.com-ssh/jump.ecmwf.int-cert.pub

Note you would need to replace your your@email.com by your registered email address at ECMWF and ab0 by your own ECMWF user idSimilar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.

Network Requirements

The service is configured to use only standard ports 22, 80, and 443, to help with access wherever users are.

...