Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.
It can be used as a replacement for the ecAccess SSH service, and is being evaluated by the CD Apps team and User Support.
Understanding ecAccess
A user outside of ECMWF wishes to ssh to one of the Centre's clusters, batch farms, or workstations. This can be done by running:
ssh sy0@ecaccess.ecmwf.int
The user is prompted for a password, which happens to be the one-time code from an ActivID token.
ecAccess is not aware of the use of multi-factor authentication (ActivID token). It sees only a simple username and password and delegates authentication to another service.
After authenticating to ecAccess, the user is prompted for the destination host:
[cca-login,ecgate] ?
In fact, the user can enter any ECMWF server or workstation name.
The destination server or workstation must run the ecauth binary which is installed "setuid root" (which enables switching to any user).
ecauth receives the TCP/IP connection from ecAccess and spawns a shell as the original user (sy0, in this example).
Understanding Teleport
Teleport functions somewhat like a combination of ecAccess, and the SSH Proxy service which staff use to connect outside of ECMWF from within the Centre.
Clients outside of the Centre use the openssh ProxyCommand or ProxyJump settings to ask their client to connect to the destination server or workstation via the Teleport gateway.
Like ecAccess, Teleport can have its own binary installed on the destination server or workstation. This is not required, however, and standard openssh server works too.