If you need access, talk to your supervisor to create an account for you. You will get a username and a password as well as an OTP device (hardware or smartphone). Accounts are handled via www.ecmwf.int
Please note that ECMWF does currently only support teleport version up to 13. ecmwf information
from home
Well you need to download the appropriate package from teleport selecting major version 13 and what ever sub version is available, e.g. 13.4.26 (9.10.2024). Choose your OS (Linux, Mac, Windows) and download the package. For Linux you can also try to install this with the package manager:
Bash
1 2 3 4 5 6 7 8 91011121314151617181920
# adjust to recent version
curlhttps://goteleport.com/static/install.sh|bash-s13.4.26
# launch an ssh-agenteval$(ssh-agent)# login using the ECMWF teleport server# this opens a browser and you need to login to ECMWF with OTP.
tshlogin--proxy=jump.ecmwf.int
Ifbrowserwindowdoesnotopenautomatically,openitbyclickingonthelink:
http://127.0.0.1:38615/f5df50f4-35bf-4f88-a2dc-2a271df6e1d5
# finaly you should get a confirmation
>ProfileURL:https://jump.ecmwf.int:443
Loggedinas:[MAILADDRESS]Cluster:jump.ecmwf.int
Roles:
Logins:[ECMWFUSERNAME]Kubernetes:disabled
Validuntil:2024-10-0923:18:33+0200CEST[validfor11h58m0s]Extensions:permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty
look at the SSH config below and you should be fine to connect.
from IMGW
A ECMWF user can connect to the ECS/ATOS using teleport, first load the teleport module and start the ssh-agent:
Using teleport
1 2 3 4 5 6 7 8 9101112131415
moduleloadteleport
**INFO:Defaultjumphostnow:jump.ecmwf.int
**INFO:Moduleloaded.SSHAgentrequiredforlogin,run'ssh-agentstart',
**or'ssh-agentreconnect'roreconnecttoanexistingagent.
**run'ssh-agent -k'tokilltheagent.
Loginrun:'python3 -m teleport.login'andyourECMWFcredentials.
e.g.'ssh -J <id>@jump.ecmwf.int <id>@ecs-login'Checkcertificates,run:'tsh status'# Activate the ssh-agent (required to store the key/certificate)
ssh-agentstart
# or
ssh-agentreconnect
# Check if it is running
ssh-add-l
once you have a running ssh-agent, run a browserless login via python
Connecting to ECMWF
1 2 3 4 5 6 7 8 9101112
# Login to the default teleport jump host (shell.ecmwf.int) Reading
python3-mteleport.login
tshstatus
# run ssh agent again
ssh-add-l
# now there should be two keys!!!# Login to ECaccess in Bologna
ssh-J[user]@jump.ecmwf.int[user]@ecs-login
# Login to HPC ATOS
ssh-J[user]@jump.ecmwf.int[user]@hpc-login
# delete current certificates
tshlogout
Configuration
Environment variables configuration:
ECMWF_USERNAME - The ECMWF Username
ECMWF_PASSWORD - The ECMWF Password
TSH_EXEC - The Teleport binary tsh path
TSH_PROXY - The ECMWF Teleport proxy
You can set these variables in your ~/.bashrc file to avoid typing these at every login. Please do not save your ECMWF_PASSWORD like this!
It is highly advised to add this to your .ssh/config, although ECMWF has added some information on that too:
Teleport versions changed from 13 to 17, April 2025.
.ssh/config
1 2 3 4 5 6 7 8 910111213141516171819
Host *.jump-17.ecmwf.int jump-17.ecmwf.int* a?-* a??-* hpc-* ecs-* hpc2020-* lfc?-* ecf?-* ecflow-* ecinteractive*
User [ECMWF USERNAME]
UserKnownHostsFile ~/.tsh/known_hosts
IdentityFile ~/.tsh/keys/jump-17.ecmwf.int/[MAIL ADDRESS]
CertificateFile ~/.tsh/keys/jump-17.ecmwf.int/[MAIL ADDRESS]-ssh/jump-17.ecmwf.int-cert.pub
ServerAliveInterval 60
TCPKeepAlive yes
Host !jump-17.ecmwf.int *.jump-17.ecmwf.int
ProxyCommand tsh proxy ssh --cluster=jump-17.ecmwf.int --proxy=jump-17.ecmwf.int:443 %r@%h
Host hpc-login ecs-login
Hostname %h.jump-17.ecmwf.int
ProxyCommand tsh proxy ssh --cluster=jump-17.ecmwf.int --proxy=jump-17.ecmwf.int:443 %r@%h
# Extra configuration for additional internal hosts through the main entry point
Host a?-* a??-* hpc-* hpc2020-* lfc?-* ecf?-* ecflow-* ecinteractive* !hpc-login* !ecs-login* !*.jump-17.ecmwf.int*
ProxyJump hpc-login.jump-17.ecmwf.int
# Replace by ecs-login.jump-17.ecmwf.int if only ECS access
SSH-agent
It is required to have an SSH-agent running in order to connect to the ECMWF servers. The teleport module includes a startagent function to allow to reconnect to an existing ssh-agent. Do not start too many agents!
start ssh-agent
1 2 3 4 5 6 7 8 910
# load the module
moduleloadteleport
# start a new agent or reconnect
ssh-agentstart
# or reconnect
ssh-agentreconnect
# unsure about agents?
userservicessshtools-h
# kill all agents
userservicessshtools-k
ECMWF Access Server (ECS)
There is an issue with ssh-keys
ECS fix ssh-key issue
123456
# connect to ECS following the teleport login procedure above
ssh-J[user]@jump.ecmwf.int[user]@ecs-login
# Generate a new SSH key on ECS, no passphrase.
ssh-keygen-ted25519
# Add the public key to your own authorized_keys on ECS/HPC
cat.ssh/id_ed25519.pub>>.ssh/authorized_keys
This will solve some ecaccess issues.
Sometimes there are also different issues with the connection. You can search the issues to check if you have a familiar problem.
# First get a valid certificate to get access
$ecaccess-certificate-create
Pleaseenteryouruser-id:[ECMWFshortusername]
Yourpasscode:[OTPCode]# Check if the certifcate is fine
$ecaccess-certificate-list
chmod168hOct1514:26changefilemode
deleteFile168hOct1514:26deletefile
deleteJob168hOct1514:26deleteajob
getFileList168hOct1514:26getfilelist
getFileSize168hOct1514:26getfilesize
getJobList168hOct1514:26joblist
getJobResult168hOct1514:26jobresult
getTempFile168hOct1514:26createtemporaryfile
getTransferList168hOct1514:26gettransferlist
mkdir168hOct1514:26makedirectory
moveFile168hOct1514:26movefile
readFile168hOct1514:26readfile
rmdir168hOct1514:26removedirectory
spoolTransfer168hOct1514:26ectransrequest
submitJob168hOct1514:26jobsubmission
writeFile168hOct1514:26writefile
if you have troubles or for some other reason, if you remove this file ~/.eccert.crt then your current certificate is gone.
ECAccess gateway
1 2 3 4 5 6 7 8 91011121314151617
# check what server you are connected to
$ecaccess-gateway-name
boaccess.ecmwf.int
# connected ?
$ecaccess-gateway-connected
yes
# the associations are defined with path and username, password to access the server. See below.# now it is time to check associations on that server
$ecaccess-association-list
auroraaurora.img.univie.ac.atactivescratch
# NAME GATEWAY STATUS COMMENT# check on a different ecaccess server
$ecaccess-association-list-gatewayecaccess.img.univie.ac.at
jetjet01.img.univie.ac.atactivescratch
# NAME GATEWAY STATUS COMMENT
ECAccess ectrans
1 2 3 4 5 6 7 8 91011121314
# transfer some files using these associations## ecaccess-ectrans-request -lifeTime 1h -overwrite -onFailure [ASSOCIATION NAME] [SOURCE FILE/DIR]# lifeTime: how long it will retry to do so# overwrite: overwrites any files existing# onFailure: reports back to you.# there are more options available: ecaccess-ectrans-request --help
$ecaccess-ectrans-request-lifeTime1h-overwrite-onFailureaurora[SOURCEFILE/DIR]# this is an async process. It does not happen right away.
$ecaccess-ectrans-list
176674485INITauroraboaccess.ecmwf.intOct0909:42
# check again
$ecaccess-ectrans-list
176674485COPYauroraboaccess.ecmwf.intOct0909:42
if you encounter a STOP or ERROR, then you can also check the gateway (boaccess, imgaccess) to have a look at the message (file transfers).
hostname (login.img.univie.ac.at or jet01 or jet02)
directory (/srvfs/scratch/[USERNAME] or something else)
comment (giving you a hint where it drops the file sto)
login (this is your imgw server username)
password (this is your imgw server password)
Click on Create
Later you can also change the password for your associations.
toolkit
You need to have access to an installation of ecaccess-webtoolkit.
Create an association on one gateway server
123456789
# load module to give access to the commands
$moduleloadecaccess-webtoolkit/6.3.1
# create a certificate
$ecaccess-certificate-create
Pleaseenteryouruser-id:[ECMWFshortusername]
Yourpasscode:[OTPCode]# create the template
$ecaccess-association-get-template[ASSOCIATIONNAME]new-association
# now you need to edit that file: new-association
This file serves as a template only the first part is important.
Change:
active='yes'
comment='Ssomething that explains where is will send the data to'
directory='/srvfs/scratch/[USERNAME]' or another directory.
hostName='login.img.univie.ac.at' or jet01... or jet02...
login='[USERNAME]'
protocol='genericSftp'
save the file and then you can add this to the correct gateway. Remember that JET is only available from the gateway (ecaccess.img.univie.ac.at), which is available only from inside the VPN@UNIVIE under ecaccess.wolke.img.univie.ac.at.
finally you can add your newly created association to the gateway:
Bash
1 2 3 4 5 6 7 8 9101112
# add to IMGW ecaccess server (password: your imgw server password)
$ecaccess-association-put-password-gatewayecaccess.img.univie.ac.atnew-association
Newpassword:
# add to boaccess (password: your imgw server password)
$ecaccess-association-put-passwordnew-association
Newpassword:
# test the association
$ecaccess-association-list
auroralogin.img.univie.ac.atactivescratch
$ecaccess-association-list-gatewayecaccess.img.univie.ac.at
jetjet01.img.univie.ac.atactivescratch
# send a file to both
using ssh-keys
There is another way to overcome the need to continuously changing the password in the association. It is possible to add a ssh-key to the ectrans association.
# generate a ssh-key using the PEM format
ssh-keygen-trsa-mPEM-b4096
Generatingpublic/privatersakeypair.
Enterfileinwhichtosavethekey(/home/user/.ssh/id_rsa):ecmwf
Enterpassphrasefor"test"(emptyfornopassphrase):
Entersamepassphraseagain:
Youridentificationhasbeensavedintest
Yourpublickeyhasbeensavedintest.pub
Thekeyfingerprintis:
SHA256:2FIvXhZASKo/b565cUiWQsImKV63YZhhnx0ySb3Rak8user@notebook
Thekey'srandomartimageis:
+---[RSA4096]----+
|o.=+++||o.=o*o.o||+++o*.=.||oo.+ooOE.||....BS+||.++=||ooo||o.=||o*.|
+----[SHA256]-----+
#
Add the public key to the IPA. It might take up to 10 min, before the new key is registered by the system. You can check on aurora by running: sss_ssh_authorizedkeys $USER
Now you can modify the association by adding your generated private key:
to either the association file or via the web interface. Then you can remove the password, but leave the login=[USERNAME].
More information on these details can be found here
ECaccess Gateway
The department is running a member state ecaccess gateway service. The purpose of an individual access server is to bridge ECMWF's network with IMGW's network. Hence, protecting these networks. For example, you can access the JET cluster from the department ecaccess server, but not from boaccess server, but from boaccess you can accesss aurora.