Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.
It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Services.
This service is under development. Please continue to use the existing ECAccess service! |
The Teleport service provides:
The single sign-on step is performed using an application called "tsh", every eight hours.
After that you use standard ssh or scp to connect to systems inside ECMWF.
tsh The tsh application is required to perform user authentication once every eight hours.
tsh is open source, very portable, and has minimal dependencies.
$PATH The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.
MacOS users can also use homebrew for installation (brew install teleport).
We are still working on describing the configuration for Windows clients. |
Once every eight hours, you will need to refresh your tokens by logging in to the ECMWF website.
SSH connections can remain active for longer than eight hours, but new ones will require re-authentication. |
Run tsh, giving the location of our gateway:
tsh login --proxy=shell.ecmwf.int:443 |
Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.
If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped. |
tsh login |
OpenSSH 7.3 or later has a simple command line option to connect via our gateway (shell.ecmwf.int) to the destination-host:
ssh -J username@shell.ecmwf.int username@destination-host |
For example, if your username is ab0 and you wish to connect to ecgate:
ssh -J ab0@shell.ecmwf.int ab0@ecgate |
The OpenSSH configuration setting for this is named ProxyJump.
See the Legacy Configuration note below if your ssh client is older than 7.3.
Destination hosts available through the Teleport gateway are:
With the initial configuration you may be prompted for a password at the destination-host.
For login without a password, add the Teleport certificate authority to your ~/.ssh/authorized_keys file:
curl -fs https://nexus.ecmwf.int/repository/internal-teleport-configs/prod/teleport_user_ca.pub >> ~/.ssh/authorized_keys |
This configuration will allow access to any host which mounts the same |
If you have logged in but ssh fails to connect, it may be that your SSH agent is not running.
echo 'eval $(ssh-agent -s)' >> ~/.bash_profile eval $(ssh-agent -s) tsh logout tsh login |
scp, agent, and port forwarding will work through the Teleport gateway.
X11 forwarding will work in a couple of months when we have an update from the vendor. |
For OpenSSH clients older than 7.3, the following will work in your ~/.ssh/config file:
# ~/.ssh/config file: Host ecgate User ab0 ProxyCommand /usr/bin/ssh -q -W %h:%p ab0@shell.ecmwf.int |
You might not be able to download and run tsh, or access our web login service, from where you wish to use ssh.
Instead you can use (or copy) the identity file which tsh stores in $HOME:
# ~/.ssh/config file: Host ecgate User ab0 IdentityFile ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int ProxyCommand /usr/bin/ssh -q -i ~/.tsh/keys/shell.ecmwf.int/firstname.lastname@ecmwf.int -W %h:%p ab0@shell.ecmwf.int |
This is a good way to access Teleport credentials via a shared file system from any host.