This software will allow you to login to teleport and get the certificate without a browser (or X-capabilities).

Prerequisites

Before you start, make sure you have the following elements installed and available in your system:

Installation

Install the module from ECMWF public software repository:

user@local $ pip3 install teleport-browserless-login --user -U -i https://get.ecmwf.int/repository/pypi-all/simple

In order to install the extra certificates checks please install with the extras option certificates-check (requires the cryptography python package):

user@local $ pip3 install teleport-browserless-login[certificates-check] --user -U -i https://get.ecmwf.int/repository/pypi-all/simple

Note for Raspberry Pi users

If you get the error:

Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://www.piwheels.org/simple/teleport-browserless-login/

Comment the line extra-index-url=https://www.piwheels.org/simple from /etc/pip.conf

Basic Usage

A shell script is installed along with the package, so all the commands python3 -m teleport.login can be replaced with teleport-login on Linux or Mac systems

You can now authenticate with our Teleport system with:

user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Configuration file not found [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Username is empty...
INPUT - ECMWF username: us9
INFO - Password is empty...
INPUT - ECMWF password: ********
INPUT - OTP Token: ******
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443 --user=us9]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - OTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump.ecmwf.int:443
Logged in as:       us.induction@ecmwf.int
Cluster:            jump.ecmwf.int
Roles:
Logins:             us9
Kubernetes:         disabled
Valid until:        2022-12-17 03:52:17 +0000 UTC [valid for 11h58m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

That will prompt you for your ECMWF username, password and TOTP of HID Token if TOTP is not configured.

This module will not attempt to authenticate if the current certificates are still valid.

Advanced Usage

For more advance usages, check the module help:

user@local $ python3 -m teleport.login --help
VERSION = "1.1.8"

Environment Variables:
  ECMWF_USERNAME  The ECMWF Username
  ECMWF_PASSWORD  The ECMWF Password
  TSH_EXEC        The Teleport binary tsh path
  TSH_PROXY       The ECMWF Teleport proxy

Configuration file content example (yaml):
  tsh_exec: '/usr/local/bin/tsh'
  tsh_proxy: 'jump.ecmwf.int:443'
  ecmwf_username: 'your_username'
  ecmwf_password: 'your_password'

Usage: python -m teleport.login [OPTIONS]

Options:
  --configuration PATH    The path to the configuration file.
  -f, --force-clean       To Request a new certificate even if the current one
                          is valid.
  -o, --tsh-options TEXT  To add extra options to tsh command. e.g.: -o "--no-
                          use-local-ssh-agent" -o "--insecure"
  --help                  Show this message and exit.

You can configure your default settings in such as the ECMWF username and password, using environment variables or a configuration file. By default, this tool will look into  ~/.teleport-login.yaml but a different file may be passed with the --configuration option. Note that the tool will always prompt for the OTP token:

user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token: ******
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443 --user=us9]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - OTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump.ecmwf.int:443
Logged in as:       us.induction@ecmwf.int
Cluster:            jump.ecmwf.int
Roles:
Logins:             us9
Kubernetes:         disabled
Valid until:        2022-12-17 03:57:49 +0000 UTC [valid for 11h58m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

An example of such a configuration file is:

user@local $ cat .teleport-login.yaml
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'jump.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password'

You can override all configuration values by using Environment Variables:

user@local $ export ECMWF_USERNAME='test'
user@local $ export ECMWF_PASSWORD='zzzz'
user@local $ export TSH_EXEC='tsh'
user@local $ export TSH_PROXY='jump.ecmwf.int:443'
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Environment variable [ECMWF_USERNAME] found. Overriding...
INFO - Environment variable [ECMWF_PASSWORD] found. Overriding...
INFO - Environment variable [TSH_EXEC] found. Overriding...
INFO - Environment variable [TSH_PROXY] found. Overriding...
INPUT - OTP Token:
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443]
...

If no configuration is provided the module will use default values:

  • tsh_exec - if tsh is on the system PATH, this can be left out the configuration file as the default is tsh
  • tsh_proxy - this can be left out the configuration file as the default is jump.ecmwf.int:443
  • username - will be prompted
  • password - will be prompted
  • token - will ALWAYS be prompted

This module will always prompt the user if some credential is missing.

Troubleshooting

If you run into problems, enabling DEBUG might be useful to get more information regarding the failure.  Just set the environment variable DEBUG to True:

user@local $ DEBUG=True python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token:
DEBUG - Loaded Configuration: {"token": "xxxxxx", "username": "uid", "password": "xxxxxxxx", "tsh_exec": "/usr/local/bin/tsh", "tsh_proxy": "jump.ecmwf.int:443"}
INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=jump.ecmwf.int:443]
DEBUG - Setting User-Agent: {'User-Agent': 'TeleportBrowserlessLogin/1.0.0 (Linux-5.4.72-microsoft-standard-WSL2-x86_64-with-glibc2.31) Python/3.9.5'}
DEBUG - Starting new HTTP connection (1): 127.0.0.1:42387
DEBUG - http://127.0.0.1:42387 "GET /fbbeee7d-dfc3-4b7b-a75a-830f48980d2e HTTP/1.1" 302 309
DEBUG - Starting new HTTPS connection (1): accounts.ecmwf.int:443
DEBUG - https://accounts.ecmwf.int:443 "GET /auth/realms/ecmwf/protocol/openid-connect/auth... HTTP/1.1" 200 5797
INFO - TeleportLoginUrlHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5654
INFO - UsernamePasswordHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5915
INFO - HIDTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump.ecmwf.int:443
Logged in as:       FirstName.LastName@ecmwf.int
Cluster:            jump.ecmwf.int
Roles:
Logins:             uid
Kubernetes:         disabled
Valid until:        2021-06-07 07:28:55 +0100 BST [valid for 12h0m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

If you need to pass additional options to the tsh command use  --tsh-options 

user@local $ python3 -m teleport.login --tsh-options="--no-use-local-ssh-agent --insecure"

1 Comment

  1. Samuel William Murphy

    port 443 doesn't seem to work for me for the tsh_proxy "jump.ecmwf.int:443"

    what I tried initially

    $ teleport-login --force-clean
    (did not work)

    then I explicitly exported the tsh_proxy without port 443 and tried again

    $ export TSH_PROXY=jump.ecmwf.int
    $ teleport-login --force-clean
    (and it worked)