These are the instructions on how to install and configure your Teleport SSH access on Linux to connect to ECMWF services such as the Atos HPCF and ECS services
Table of Contents
Demo
Here is a demonstration on how to set up Teleport to connect to our our Atos HPCF on Ubuntu 22.04. You can find the step by step guide below.
Installing the tsh client
The tsh application is required to perform user authentication. tsh is open source, very portable, and has minimal dependencies.
Go to the Teleport website and follow the instructions to install it. Typically, if you have administrator permissions on your computer you can install it with: curl https://goteleport.com/static/install.sh | bash -s <teleport_version> |
Click on "Alternative download options" where you may download and extract the corresponding tarball for your computer architecture, and place the tsh executable somewhere in your PATH |
Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future |
|
Authenticating yourself
Once every 12 hours, you will need to refresh your tokens with the tsh command. SSH connections may remain active for longer than 12 hours, but new connections will require re-authentication. To authenticate yourself, run tsh, giving the location of our Teleport gateway: Your default web browser will open. You should login with your email address, ECMWF password, and then the code from your Time-based One-Time-Password (TOTP) device. If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
If the process is successful, you will see an output such as: > Profile URL: https://jump.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump.ecmwf.int
Roles:
Logins: ecmwfusername
Kubernetes: disabled
Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 4h37m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
Once you have logged int at least once, tsh will save your proxy settings so you can skip the extra argument next time:
|
|
Setup your SSH config
We strongly recommend setting up all the SSH options needed for the connection in your local ssh config file, instead of passing them on the command line.
Edit the file ~/.ssh/config on your computer and add the snippet below. You may create it if it does not exist. You should replace ecmwfusername by your registered ECMWF user and user.address@somewhere.com by your registered email address at ECMWF.
Host jump.ecmwf.int a?-* a??-* hpc-* hpc2020-* ecs-*
User ecmwfusername
IdentityFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com
CertificateFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
ServerAliveInterval 60
TCPKeepAlive yes
Host a?-* a??-* hpc-* hpc2020-* ecs-*
ProxyJump jump.ecmwf.int |
You can find the right values for those two parameters in the output of the tsh command: % tsh login
> Profile URL: https://jump.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump.ecmwf.int
Roles:
Logins: ecmwfusername
Kubernetes: disabled
Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 3h56m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
|
If you are using Visual Studio Code with the Remote SSH extension, it will not recognise hosts with wildcards as defined in the previous SSH config file. You may add append an explicit entry for the desired hosts in your ssh config file:
|
|
SSH connection
Once you have configured the appropriate settings, any SSH-based tools such as ssh, scp or rsync should work out of the box without any additional options. To test the connection you may ssh into hpc-login if you have access to ECMWF's HPCF: Or alternatively, if you only have access to ECMWF ECS service: Visit our HPCF User Guide for further information. Remember you may need to redo the authentication step for any new ssh connections after 12 hours with:
|
|
Optional: Automating the authentication step
You may instruct ssh to trigger a tsh login whenever required when establishing a new connection by adding the following line at the top of your ~/.ssh/config Match host jump.ecmwf.int exec "tsh status --proxy %h >/dev/null 2>&1 || tsh --proxy %h login" |
|
Troubleshooting
ProxyJump keyword not available on old Linux versions
If using an Operating System with OpenSSH older than 7.3, you will not be able to use the ProxyJump feature. The typical error would be something like:
/home/user/.ssh/config: line 10: Bad configuration option: proxyjump |
You must then replace the following line in your ~/.ssh/config
Host a?-* a??-* hpc-* hpc2020-* ecs-*
ProxyJump jump.ecmwf.int |
by:
Host a?-* a??-* hpc-* hpc2020-* ecs-*
ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa* -oHostKeyAlgorithms=+ssh-rsa*,rsa-sha2-512 -i ~/.tsh/keys/jump.ecmwf.int/user.address@somwhere.com -oCertificateFile=~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub -W %h:%p ecmwfusername@jump.ecmwf.int |
You should replace ecmwfusername by your registered ECMWF user and user.address@somewhere.com by your registered email address at ECMWF.
If everything else fails...
If you cannot login to teleport or connect via SSH and you are not able to understand why, please raise an issue to our ECMWF Support portal and sending us the output of the commands: tsh version
tsh login --proxy=jump.ecmwf.int
ssh -V
ssh -v ecs-login |
You should also include information about your computer (Operating system) to help us narrow down the problem. |