These are the instructions on how to install and configure your Teleport SSH access on Mac to connect to ECMWF services such as the Atos HPCF and ECS services.
Table of Contents
Demo
Here is a demonstration on how to set up Teleport to connect to our our Atos HPCF from a Mac. You can find the step by step guide described below.
Installing the tsh
client
The tsh
application is required to perform user authentication.
tsh
is open source, very portable, and has minimal dependencies.
If you have homebrew installed in your mac, then you can get tsh
installed easily with:
brew install teleport
Alternatively, go to the Teleport website and make sure you download the "tsh client" instead of "Teleport Connect".
Please be aware that you must use a version of "tsh" equal to or lower than 13. We are working on removing this limitation in the very near future
Authenticating yourself
Once every 12 hours, you will need to refresh your tokens with the To authenticate yourself, run Your default web browser will open. You should login with your email address, ECMWF password, and then the code from your Time-based One-Time-Password (TOTP) device. Existing sessions If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. Browserless authentication If your computer does not have a browser or cannot display one, you may use the Teleport SSH access - Browserless Login Python Module for the authentication. If the process is successful, you will see an output such as: Subsequent logins Once you have logged int at least once, tsh will save your proxy settings so you can skip the extra argument next time: tsh
command. SSH connections may remain active for longer than 12 hours, but new connections will require re-authentication.tsh
, giving the location of our Teleport gateway:tsh login --proxy=jump.ecmwf.int
> Profile URL: https://jump.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump.ecmwf.int
Roles:
Logins: ecmwfusername
Kubernetes: disabled
Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 4h37m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
tsh login
Please ask your Confluence administrator to update the license for the MultiExcerpt App for Confluence .
Admin Info: The error is: license TYPE MISMATCH
Admin Info: DataCenter Confluence: You may need to update the app license to DataCenter.
Setup your SSH config
We strongly recommend setting up all the SSH options needed for the connection instead of passing them on the command line.
Edit the file ~/.ssh/config
on your computer and add the snippet below. You may create it if it does not exist. You should replace ecmwfusername
by your registered ECMWF user and user.address@somewhere.com
by your registered email address at ECMWF.
Not sure about username and email? You can find the right values for those two parameters in the output of the tsh command: VSCode and Remote SSH If you are using Visual Studio Code with the Remote SSH extension, it will not recognise hosts with wildcards as defined in the previous SSH config file. You may add append an explicit entry for the desired hosts in your ssh config file:Host jump.ecmwf.int a?-* a??-* hpc-* hpc2020-* ecs-*
User ecmwfusername
IdentityFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com
CertificateFile ~/.tsh/keys/jump.ecmwf.int/user.address@somewhere.com-ssh/jump.ecmwf.int-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
ServerAliveInterval 60
TCPKeepAlive yes
Host a?-* a??-* hpc-* hpc2020-* ecs-*
ProxyJump jump.ecmwf.int
% tsh login
> Profile URL: https://jump.ecmwf.int:443
Logged in as: user.address@somewhere.com
Cluster: jump.ecmwf.int
Roles:
Logins: ecmwfusername
Kubernetes: disabled
Valid until: 2022-12-13 20:54:18 +0000 GMT [valid for 3h56m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
Host ecs-login hpc-login
Please ask your Confluence administrator to update the license for the MultiExcerpt App for Confluence .
Admin Info: The error is: license TYPE MISMATCH
Admin Info: DataCenter Confluence: You may need to update the app license to DataCenter.
SSH connection
Once you have configured the appropriate settings, any SSH-based tools such as ssh
, scp
or rsync
should work out of the box without any additional options.
To test the connection you may ssh into hpc-login if you have access to ECMWF's HPCF:
% ssh hpc-login
Or alternatively, if you only have access to ECMWF ECS service:
% ssh ecs-login
Visit our HPCF User Guide for further information.
Optional: Automating the authentication step
You may instruct ssh to trigger a tsh login whenever required when establishing a new connection by adding the following line at the top of your ~/.ssh/config
Match host jump.ecmwf.int exec "tsh status --proxy %h >/dev/null 2>&1 || tsh --proxy %h login"
Please ask your Confluence administrator to update the license for the MultiExcerpt App for Confluence .
Admin Info: The error is: license TYPE MISMATCH
Admin Info: DataCenter Confluence: You may need to update the app license to DataCenter.
Troubleshooting
If you cannot login to teleport or connect via SSH and you are not able to understand why, please raise an issue to our ECMWF Support portal and sending us the output of the commands: You should also include information about your computer (Operating system) to help us narrow down the problem.tsh version
tsh login --proxy=jump.ecmwf.int
ssh -V
ssh -v ecs-login
Please ask your Confluence administrator to update the license for the MultiExcerpt App for Confluence .
Admin Info: The error is: license TYPE MISMATCH
Admin Info: DataCenter Confluence: You may need to update the app license to DataCenter.
4 Comments
Zafiris Galanopoulos
At the moment it looks like homebrew can only install the latest version of teleport, and there are no other versions available according to:
so it might be worth mentioning that, as currently only versions 13 and below are supported in our setup.
Nicolas Bousserez
Do we have a temporary solution for this? I didn't manage to install an older version of teleport.
Zafiris Galanopoulos
What I did, was to download it directly from the teleport website https://cdn.teleport.dev/teleport-v13.0.0-darwin-arm64-bin.tar.gz , decompress the file and run (as root) the install file inside. That should work.
Claudio Pisa
I downloaded the v13.4.10 package installer for Mac OS from here: https://goteleport.com/download/ , then I uninstalled the homebrew package and went through the package installer wizard. It seems to be working for me now.