This software will allow you to login to teleport and get the certificate without a browser (or X-capabilities).

Teleport production services

We currently run two Teleport services in production:

If you are setting up the access for the first time, you should choose the recommended jump-17.ecmwf.int service.

If you are updating your setup to use the latest production service, jump-17.ecmwf.int, note that you will need to change BOTH the client installation and your ssh configuration (e.g. $HOME/.ssh/config file). Newer clients connecting to jump-17.ecmwf.int but using the old configuration (that will still refer to jump.ecmwf.int) will not work


Prerequisites

Before you start, make sure you have the following elements installed and available in your system:

Installation

Install the module from ECMWF public software repository:

user@local $ pip3 install teleport-browserless-login --user -U -i https://get.ecmwf.int/repository/pypi-all/simple

In order to install the extra certificates checks please install with the extras option  certificates-check  (requires the cryptography python package):

user@local $ pip3 install teleport-browserless-login[certificates-check] --user -U -i https://get.ecmwf.int/repository/pypi-all/simple

Note for Raspberry Pi users

If you get the error:

Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://www.piwheels.org/simple/teleport-browserless-login/

Comment the line extra-index-url=https://www.piwheels.org/simple  from /etc/pip.conf

Basic Usage

A shell script is installed along with the package, so all the commands python3 -m teleport.login can be replaced with teleport-login  on Linux or Mac systems

Define the target service. On Linux, Mac, or Windows Subsystem for Linux (WSL):

export TSH_PROXY=jump-17.ecmwf.int:443

On Windows Powershell

$env:TSH_PROXY=jump-17.ecmwf.int:443

Alternatively, you may define it through a configuration file as described in Advance Usage.

You can now authenticate with our Teleport system with:

user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Configuration file not found [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Username is empty...
INPUT - ECMWF username: ecmwfusername
INFO - Password is empty...
INPUT - ECMWF password: ********
INPUT - OTP Token: ******
INFO - Starting [tsh login --browser=none --proxy=jump-17.ecmwf.int:443 --user=ecmwfusername]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - OTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump-17.ecmwf.int:443
Logged in as:       user.address@somewhere.com
Cluster:            jump-17.ecmwf.int
Roles:              shelluser
Logins:             ecmwfusername
Kubernetes:         enabled
Valid until:        2025-04-01 20:52:17 +0000 BST [valid for 11h58m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

Define the target service. On Linux, Mac, or Windows Subsystem for Linux (WSL):

export TSH_PROXY=jump.ecmwf.int:443

On Windows Powershell

$env:TSH_PROXY=jump.ecmwf.int:443

Alternatively, you may define it through a configuration file as described in Advance Usage.

You can now authenticate with our Teleport system with:

user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Configuration file not found [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Username is empty...
INPUT - ECMWF username: ecmwfusername
INFO - Password is empty...
INPUT - ECMWF password: ********
INPUT - OTP Token: ******
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443 --user=ecmwfusername]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - OTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump.ecmwf.int:443
Logged in as:       user.address@somewhere.com
Cluster:            jump.ecmwf.int
Roles:				
Logins:             ecmwfusername
Kubernetes:         disabled
Valid until:        2025-04-01 20:52:17 +0000 BST [valid for 11h58m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

That will prompt you for your ECMWF username, password and TOTP  of HID Token if TOTP is not configured.

This module will not attempt to authenticate if the current certificates are still valid.

Advanced Usage

For more advance usages, check the module  help:

user@local $ python3 -m teleport.login --help
VERSION = "1.1.8"

Environment Variables:
  ECMWF_USERNAME  The ECMWF Username
  ECMWF_PASSWORD  The ECMWF Password
  TSH_EXEC        The Teleport binary tsh path
  TSH_PROXY       The ECMWF Teleport proxy

Configuration file content example (yaml):
  tsh_exec: '/usr/local/bin/tsh'
  tsh_proxy: 'jump.ecmwf.int:443'
  ecmwf_username: 'your_username'
  ecmwf_password: 'your_password'

Usage: python -m teleport.login [OPTIONS]

Options:
  --configuration PATH    The path to the configuration file.
  -f, --force-clean       To Request a new certificate even if the current one
                          is valid.
  -o, --tsh-options TEXT  To add extra options to tsh command. e.g.: -o "--no-
                          use-local-ssh-agent" -o "--insecure"
  --help                  Show this message and exit.

You can configure your default settings in such as the ECMWF username and password, using environment variables or a configuration file. By default, this tool will look into   ~/.teleport-login.yaml but a different file may be passed with the --configuration option. Note that the tool will always prompt for the OTP token:

user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token: ******
...

An example of such a configuration file is:

user@local $ cat .teleport-login.yaml
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'jump-17.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password'

You can override all configuration values by using  Environment Variables:

user@local $ export ECMWF_USERNAME='test'
user@local $ export ECMWF_PASSWORD='zzzz'
user@local $ export TSH_EXEC='tsh'
user@local $ export TSH_PROXY='jump-17.ecmwf.int:443'
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Environment variable [ECMWF_USERNAME] found. Overriding...
INFO - Environment variable [ECMWF_PASSWORD] found. Overriding...
INFO - Environment variable [TSH_EXEC] found. Overriding...
INFO - Environment variable [TSH_PROXY] found. Overriding...
INPUT - OTP Token:
INFO - Starting [tsh login --browser=none --proxy=jump-17.ecmwf.int:443]
...
user@local $ cat .teleport-login.yaml
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'jump.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password'

You can override all configuration values by using  Environment Variables:

user@local $ export ECMWF_USERNAME='test'
user@local $ export ECMWF_PASSWORD='zzzz'
user@local $ export TSH_EXEC='tsh'
user@local $ export TSH_PROXY='jump.ecmwf.int:443'
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Environment variable [ECMWF_USERNAME] found. Overriding...
INFO - Environment variable [ECMWF_PASSWORD] found. Overriding...
INFO - Environment variable [TSH_EXEC] found. Overriding...
INFO - Environment variable [TSH_PROXY] found. Overriding...
INPUT - OTP Token:
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443]
...

If no configuration is provided the module will use default values:

  • tsh_exec - if  tsh  is on the system PATH, this can be left out the configuration file as the default is  tsh
  • tsh_proxy - this can be left out the configuration file as the default is  jump.ecmwf.int:443
  • username - will be prompted
  • password - will be prompted
  • token - will ALWAYS be prompted

This module will always prompt the user if some credential is missing.

Troubleshooting

If you run into problems, enabling DEBUG might be useful to get more information regarding the failure.  Just set the environment variable  DEBUG  to  True:

user@local $ DEBUG=True python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token:
DEBUG - Loaded Configuration: {"token": "xxxxxx", "username": "ecmwfusername", "password": "xxxxxxxx", "tsh_exec": "/usr/local/bin/tsh", "tsh_proxy": "jump-17.ecmwf.int:443"}
INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=jump-17.ecmwf.int:443]
DEBUG - Setting User-Agent: {'User-Agent': 'TeleportBrowserlessLogin/1.0.0 (Linux-5.4.72-microsoft-standard-WSL2-x86_64-with-glibc2.31) Python/3.9.5'}
DEBUG - Starting new HTTP connection (1): 127.0.0.1:42387
DEBUG - http://127.0.0.1:42387 "GET /fbbeee7d-dfc3-4b7b-a75a-830f48980d2e HTTP/1.1" 302 309
DEBUG - Starting new HTTPS connection (1): accounts.ecmwf.int:443
DEBUG - https://accounts.ecmwf.int:443 "GET /auth/realms/ecmwf/protocol/openid-connect/auth... HTTP/1.1" 200 5797
INFO - TeleportLoginUrlHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5654
INFO - UsernamePasswordHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5915
INFO - HIDTokenHandler finished
INFO - Login Successful
INFO - > Profile URL:        https://jump-17.ecmwf.int:443
Logged in as:       user.address@somewhere.com
Cluster:            jump-17.ecmwf.int
Roles:				shelluser
Logins:             ecmwfusername
Kubernetes:         enabled
Valid until:        2025-04-01 20:52:17 +0000 BST [valid for 11h58m0s]
Extensions:         permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty

If you need to pass additional options to the tsh command use  --tsh-options

user@local $ python3 -m teleport.login --tsh-options="--no-use-local-ssh-agent --insecure"

1 Comment

  1. Samuel William Murphy

    port 443 doesn't seem to work for me for the tsh_proxy "jump.ecmwf.int:443"

    what I tried initially

    $ teleport-login --force-clean
    (did not work)

    then I explicitly exported the tsh_proxy without port 443 and tried again

    $ export TSH_PROXY=jump.ecmwf.int
    $ teleport-login --force-clean
    (and it worked)