Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.
It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Support.
This service is under development and not widely accessible. Please continue to use the existing ECAccess service!
Downloading tsh
The tsh
application is required to perform the single sign-on step once every eight hours.
As tsh
is written in Go, it is very portable and has minimal dependencies.
- Download from the Gravitational website and place into your
$PATH
The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.
Initial login
Run tsh
, giving the location of our Teleport gateway:
tsh login --proxy=shell.ecmwf.int:443
Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.
Subsequent logins can be shortened to tsh login
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped.
Configuring servers and workstations for Teleport
At the destination host end, openssh needs to be configured to trust the SSH Certificate that your client is passing.
This can be done at the server level for all users, or by an individual user within their own account.
If a user configures this for their own account, it will potentially allow access to any other system using the same $HOME
filesystem.
A user can add the following to their ~/.ssh/authorized_keys
file:
cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN85frMTtRzQaVjkHGM3NTOJD/5awWn2i1sAofzlO0PXM1jX/H+4zQKn1+ATUqU+TTU2v3V7fhZm0cWqRrofSLDVC80FkCFqzZRq2E4kMBP5sx4yf/mBKLzJ6luE8eV/3W0V6KEch5TV2ON8ltwFPWjB3D/puPU010UOJH/arlpW5h+n9dAtBCAtVuMYBEz/5uWcKcTJkFe2usQTVmpiEmt/yAx4LfLTFPs2+izLo+N3dBW92HFnKnQftZI5s8ysOENbKmxdWfcxdID5E91oneAvkmEKBeUutlYY3GV9621iuKnlEw6WF8wfQapdozzhSyb+LhqPDiBRotnerhA69/ clustername=tele&type=user
A server administrator can place the same key into /etc/ssh/teleport-user-ca.pub
They would then add the following to their /etc/ssh/sshd_config
file:
AuthorizedKeysFile /etc/ssh/teleport-user-ca.pub .ssh/authorized_keys .ssh/authorized_keys2
Having a dedicated file for the trusted key means that it can easily be rotated using configuration automation.
Connecting to hosts through Teleport
Your ssh client will need to know about the Teleport gateway (proxy).
For OpenSSH 7.3 or newer, add the following to your configuration (~/.ssh/config
):
Host ecmwf-hpcf HostName hpcf-login.ecmwf.int ProxyJump tele.ecmwf.int:3023 ForwardX11 yes
For OpenSSH clients up to 7.2, the following will work instead:
Host ecmwf-hpcf HostName hpcf-login.ecmwf.int ProxyCommand /usr/bin/ssh -q -p 3023 -W %h:%p tele.ecmwf.int ForwardX11 yes
ecmwf-hpcf
is merely a short alias and can be any name, including the target HostName.
hpcf-login.ecmwf.int is the host name of whatever destination server or workstation you wish to reach.
Then, you can connect to the destination host:
ssh ecmwf-hpcf
No password will be required.
SCP, X11 and Port Forwarding
scp, X11, and port forwarding will all work through the Teleport gateway.
Of course, such features also need to be permitted on the destination server or workstation.
See the AUTHORIZED_KEYS
section of the sshd
man page for how to configure restrictions on users coming via Teleport.