You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.

It can be used as a replacement for the ecAccess SSH service, and is being evaluated by the CD Apps team and User Support.

Please read all the introductory "understanding" sections (even if you think you know them), so that the presentation of Teleport makes sense in context.

Understanding ecAccess

A user outside of ECMWF wishes to ssh to one of the Centre's clusters, batch farms, or workstations. This can be done by running:

ssh sy0@ecaccess.ecmwf.int

Since 2016 the ecAccess ssh module has required custom configuration on the ssh client end to enable known-insecure ciphers.
The replacement of this service will of course bring an up-to-date ssh implementation without this issue.

The user is prompted for a password, which happens to be the one-time code from an ActivID token.

ecAccess is not aware of the use of multi-factor authentication (ActivID token). It sees only a simple username and password and delegates authentication to another service.

After authenticating to ecAccess, the user is prompted for the destination host:

[cca-login,ecgate]
?

In fact, the user can enter any ECMWF server or workstation name.

The destination server or workstation must run the ecauth binary which is installed "setuid root" (so it can become any user).

ecauth receives the TCP/IP connection from ecAccess and spawns a shell as the original user (sy0, in this example).

It is important to know that the user authenticates to the ecAccess gateway only, not the destination server or workstation.

Understanding our SSH Proxy service

When servers or workstations inside the Centre wish to ssh to the Internet (not the RMDCN), we tell the client to use our SSH Proxy service.

The Proxy sits in the DMZ and allows transit of the TCP/IP connection from ssh client to server. It does not interrupt the encryption in any way.

The need for the SSH Proxy is mostly to support a network setup where the Centre is dual-homed on both RMDCN and Internet.
In the near future (BOND timeframe) the network will be redesigned and this need will go away, so all outgoing proxy services are to be retired.

Clients inside the Centre use the openssh ProxyCommand setting to direct the connection via our Proxy:

ProxyCommand /usr/bin/connect -H proxy.ecmwf.int:2222 %h %p

This is a commonly used behaviour in ssh, and in fact new openssh clients and servers support the ProxyJump setting, to simplify configuration even further.

It is important to know that our SSH Proxy is not authenticating users; it merely passes a TCP/IP stream.

Understanding Teleport

Teleport functions somewhat like a combination of ecAccess, and the SSH Proxy service, with additional features relating to role-based access control and single sign-on.

Users outside of the Centre configure their clients to use Teleport as a proxy service for the destination host. That is, it's a bit like the reverse of systems inside ECMWF connecting to the Internet.

Like ecAccess, Teleport can have its own binary installed on the destination server or workstation. However, this is optional, and standard openssh server works too.

Teleport is open source, hosted on GitHub, written in Go, and the Enterprise edition is licensed (at modest cost) to gain support and allow use of the single sign-on feature.

The notable difference between Teleport and our current services is that a specific command-line application, called tsh, is required to do the single sign-on function (once per day).

The single sign-on step will open a web browser and prompt the user for their username and password (from the token). This means if we migrate away from ActivID in the future then the Teleport service is not affected in any way, because login is delegated to the web service.

After login, a user's ssh-agent is populated with some SSH Certificates signed by the Teleport server, valid for a limited time (say, eight hours).

SSH clients present the certificates in a similar way to SSH Keys each time they login, and the certificates are validated by both the Teleport gateway and the destination host.

With Teleport, users are authenticated both at the gateway and at the destination host.

Further Reading

  • Downloading tsh 
  • Initial login and verifying ssh-agent behaviour
  • Connecting to hosts through Teleport
  • Teleport features we are not using







  • No labels