Page History
...
Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern way, with support for role-based access control and single sign-on. At the moment there are two gateways available:
- shelljump.ecmwf.int based in Reading Bologna Datacentre, best to access ReadingBologna-based hosts (Cray Atos HPCF, ECGATE and others).
- jumpshell.ecmwf.int based in Bologna Reading Datacentre, best to access BolognaReading-based hosts (Atos Cray HPCF, ECGATE and others).
Note |
---|
The Teleport gateway SSH Host Keys are currently:
|
Tip |
---|
Please report any feedback or issues through the ECMWF Support Portal . |
...
Run tsh
, giving the location of our gateways. For platforms based in ReadingBologna hosts such as the Atos HPCF:
Code Block | ||||
---|---|---|---|---|
| ||||
tsh login --proxy=shelljump.ecmwf.int:443 |
or for Bologna hosts platforms based in Reading such as the Atos ECGATE or Cray HPCF:
Code Block | ||||
---|---|---|---|---|
| ||||
tsh login --proxy=jumpshell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, ECMWF password, and then HID (ActivID) Token code.
...
No Format |
---|
# Teleport gateways # Temporary workaround to allow concurrent usage of both gateways Host shell.ecmwf.int jump.ecmwf.int IdentityFile ~/.tsh/keys/%h/<email_address> CertificateFile ~/.tsh/keys/%h/<email_address>-ssh/%h-cert.pub HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512 PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com* |
If you are not sure what email address you need to use, just run the tsh login once and run the following:
...
Code Block | ||
---|---|---|
| ||
ssh -J username@shellusername@jump.ecmwf.int username@destination-host ssh -J username@jumpusername@shell.ecmwf.int username@destination-host |
For example, if your username is ab0
and you wish to connect to ecgate
:
Code Block | ||||
---|---|---|---|---|
| ||||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
And if you wish to connect to Atos HPCF:
Code Block | ||||
---|---|---|---|---|
| ||||
ssh -J ab0@jump.ecmwf.int ab0@hpc-login |
...
Code Block | ||||
---|---|---|---|---|
| ||||
# For users without HPC access: ssh -J ab0@jump.ecmwf.int ab0@ecs-login |
And if you wish to connect tp ecgate
:
Code Block | ||||
---|---|---|---|---|
| ||||
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting The OpenSSH configuration setting for this is named ProxyJump,
e.g. add the following lines in the ~/.ssh/config
file on you client system:
Code Block | ||
---|---|---|
| ||
# For ecgate and Cray HPCF Host ecg* cc* User ab0 ProxyJump ab0@shell.ecmwf.intHost jump.ecmwf.int shell.ecmwf.int HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedKeyTypes +ssh-rsa* User ab0 # For ecgate and AtosCray HPCF Host a?-ecg* a??-cc* hpc-* hpc2020-* ecs-* User HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedKeyTypes +ssh-rsa* User ab0 ProxyJump ab0@jump ProxyJump shell.ecmwf.int |
See the Legacy Configuration note below if your ssh client is older than 7.3.
If your connection fails after working for some time, it could be because your tokens have expired. You can check them:
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
ProxyJump jump.ecmwf.int |
See the Legacy Configuration note below if your ssh client is older than 7.3.
If your connection fails after working for some time, it could be because your tokens have expired. You can check them:
Code Block | ||
---|---|---|
| ||
$ tsh status
> Profile URL: https://jump.ecmwf.int:443
Logged in as: firstname.lastname@ecmwf.int
Cluster: jump.ecmwf.int
Roles: *
Logins: ab0 | ||
Code Block | ||
| ||
$ tsh status
> Profile URL: https://shell.ecmwf.int:443
Logged in as: firstname.lastname@ecmwf.int
Cluster: shell.ecmwf.int
Roles: *
Logins: ab0
Valid until: 2020-06-22 23:26:30 +0100 BST [EXPIRED]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
...
Code Block | ||
---|---|---|
| ||
Host shelljump.ecmwf.int jumpshell.ecmwf.int HostKeyAlgorithms +ssh-rsa*,rsa-certsha2-v01@openssh.com512 PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com* User ab0 Host ecgate ecg* cc* User ab0 HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedAlgorithmsPubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com* Host a?-* a??-* hpc-* hpc2020-* ecs-* HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedKeyTypes +ssh-rsa* User ab0 ProxyJump jump.ecmwf.int |
Destination Hosts available
The hosts directly available through the Bolgona Teleport gateway (jump.ecmwf.int):
- Atos HPCF, including ECS
For hosts based in Reading through the Reading Teleport gateway (shell.ecmwf.int) are:
...
Show If | |||||
---|---|---|---|---|---|
| |||||
To access any other host, the
You can also set password-less login, as below. |
For hosts based in Bologna through the Bolgona Teleport gateway (jump.ecmwf.int):
- Atos HPCF, including ECS
Configuring password-less login
Info |
---|
This configuration enables single-hop ssh (using ProxyJump) to other ECMWF hosts. Not required for ECGATE, CCA/CCB or Atos HPCF login nodes , Linux physical workstations and Linux VDI. |
Add the Teleport certificate authority to your ~/.ssh/authorized_keys
file, on the relevant system at ECMWF, e.g. ecgate, cca:
...
Show If | ||
---|---|---|
| ||
|
Hide If | ||
---|---|---|
| ||
|
...
Expand | |||||
---|---|---|---|---|---|
| |||||
|
...
Expand | |||||
---|---|---|---|---|---|
| |||||
|
...
Code Block | ||
---|---|---|
| ||
scp -o ProxyJump=ab0@shellab0@jump.ecmwf.int ab0@ecgateab0@hpc-login:/remote/file/path /local/file/path |
...
Code Block | ||
---|---|---|
| ||
# ~/.ssh/config file: Host ecgate Usera?-* a??-* ecs-* hpc-* hpc2020-* User ab0 ProxyCommand /usr/bin/ssh -q -W %h:%p ab0@shellab0@jump.ecmwf.int |
Similar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
...
Recent Fedora Linux distributions (such as Fedora-33) using OpenSSH 8.4p1 no longer accept the "ssh-rsa" signature scheme using the SHA-1 hash algorithm in conjunction with the RSA public key algorithm.
As a workaround for this problem, you may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:for this problem, you may need to add ssh-rsa (rsa-sha2-256 or rsa-sha2-512 can also be used) as a PubkeyAcceptedKeyTypes to your ~/.ssh/config file:
Code Block | ||
---|---|---|
| ||
# ~/.ssh/config file:
Host jump.ecmwf.int shell.ecmwf.int
IdentityFile ~/.tsh/keys/%h/your@email.com
CertificateFile ~/.tsh/keys/%h/your@email.com-ssh/%h-cert.pub
HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
PubkeyAcceptedKeyTypes +ssh-rsa*
User ab0
Host a?-* a??-* ecs-* hpc-* hpc2020-*
User ab0
ProxyJump jump.ecmwf.int
IdentityFile | ||
Code Block | ||
| ||
# ~/.ssh/config file: Host ecgate User ab0 PubkeyAcceptedKeyTypes +ssh-rsa IdentityFile ~/.tsh/keys/shelljump.ecmwf.int/firstnameyour@email.lastname@ecmwf.intcom ProxyCommand /usr/bin/ssh -q -o PubkeyAcceptedKeyTypes=+ssh-rsa -i CertificateFile ~/.tsh/keys/shelljump.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p ab0@shellyour@email.com-ssh/jump.ecmwf.int-cert.pub |
Note you would need to replace your your@email.com
by your registered email address at ECMWF and ab0
by your own ECMWF user idSimilar setup can be configured to use jump.ecmwf.int for Atos HPCF and other Bologna-based hosts.
Network Requirements
The service is configured to use only standard ports 22, 80, and 443, to help with access wherever users are.
...