teleport-browserless-login
This software will allow you to login to teleport and get the certificate without a browser (or X-capabilities)
...
.
Prerequisites
Before you start, make sure you have the following elements installed and available in your system:
- Python 3
- pip
- The Teleport standard tsh client as described in Teleport SSH Access
Installation
Install the module from ECMWF public software repository:
Code Blocknoformat |
---|
language | bash |
---|
title | Installation |
---|
|
user@local $ pip3 install teleport-browserless-login --user -U -i https://get.ecmwf.int/repository/pypi-all/simple |
In order to install the extra certificates checks please install with the extras option certificates-check
(requires the cryptography python package):
Code Blocknoformat |
---|
language | bash |
---|
title | Installation |
---|
|
user@local $ pip3 install teleport-browserless-login[certificates-check] --user -U -i https://get.ecmwf.int/repository/pypi-all/simple |
...
Note |
---|
title | Note for Raspberry Pi users |
---|
|
If you get the error: Code Blocknoformat |
---|
| Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://www.piwheels.org/simple/teleport-browserless-login/ |
Comment the line extra-index-url=https://www.piwheels.org/simple from /etc/pip.conf |
...
Basic Usage
Tip |
---|
A shell script is installed along with the package, so all the commands python3 -m teleport.login can be replaced with teleport-login on Linux or Mac systems |
You can now authenticate with our Teleport system with:
No Format |
---|
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Configuration file not found [/home/demo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Username is empty...
INPUT - ECMWF username: us9
INFO - Password is empty...
INPUT - ECMWF password: ********
INPUT - OTP Token: ******
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443 --user=us9]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - OTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL: https://jump.ecmwf.int:443
Logged in as: us.induction@ecmwf.int
Cluster: jump.ecmwf.int
Roles:
Logins: us9
Kubernetes: disabled
Valid until: 2022-12-17 03:52:17 +0000 UTC [valid for 11h58m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
|
That will prompt you for your ECMWF username, password and TOTP
of HID Token
if TOTP
is not configured.
Info |
---|
This module will not attempt to authenticate if the current certificates are still valid. |
Advanced Usage
Check the module help
:
Code Blocknoformat |
---|
|
user@local $ python3 -m teleport.login --help
VERSION = "1.1.38"
Environment Variables:
ECMWF_USERNAME The ECMWF Username
ECMWF_PASSWORD The ECMWF Password
TSH_EXEC The Teleport binary tsh path
TSH_PROXY The ECMWF Teleport proxy
Configuration file content example (yaml):
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'jump.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password'
Usage: python -m teleport.login [OPTIONS]
Options:
--configuration PATH The path to the configuration file.
-f, --force-clean To Request a new certificate even if the current one
is valid.
-o, --tsh-options TEXT To add extra options to tsh command. e.g.: -o "--no-
use-local-ssh-agent" -o "--insecure"
--help Show this message and exit. |
Using the module without arguments will prompt for the HID Token
or TOTP
(if configured instead) and load the default configuration fileYou can configure your default settings in such as the ECMWF username and password, using environment variables or a configuration file. By default, this tool will look into ~/.teleport-login.yaml
but a different file may be passed with the --configuration
option. Note that the tool will always prompt for the OTP token:
Code Blocknoformat |
---|
|
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uiddemo/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token: ******
INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=jump.ecmwf.int:443 --user=us9]
INFO - Configuring HIDTokenHandler with successor NoneType
INFO - Configuring OTPTokenHandler with successor HIDTokenHandler
INFO - Configuring UsernamePasswordHandler with successor OTPTokenHandler
INFO - Configuring TeleportLoginUrlHandler with successor UsernamePasswordHandler
INFO - TeleportLoginUrlHandler finished
INFO - UsernamePasswordHandler finished
INFO - HIDTokenHandlerOTPTokenHandler finished
INFO - Login Successful
INFO - > Profile URL: https://jump.ecmwf.int:443
Logged in as: FirstNameus.LastName@ecmwfinduction@ecmwf.int
Cluster: jump.ecmwf.int
Roles:
Logins: uidus9
Kubernetes: disabled
Valid until: 20212022-0612-0717 0703:2857:5549 +01000000 BSTUTC [valid for 12h0m0s11h58m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
If you want to provide a specific path for your configuration file using --configuration
and you will be prompt for the HID Token
:
Code Block |
---|
language | bash |
---|
title | Login with Configuration File |
---|
|
user@local $ python3 -m teleport.login --configuration /path/to/configuration.yaml
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/path/to/configuration.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token:
... |
An example of such a configuration file is:
Code Blocknoformat |
---|
language | bash |
---|
title | Configuration File Example |
---|
|
user@local $ cat .teleport-login.yaml
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'jump.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password' |
You can override all configuration values by using Environment Variables
:
Code Blocknoformat |
---|
language | bash |
---|
title | Login with Environment Variables |
---|
|
user@local $ export ECMWF_USERNAME='test'
user@local $ export ECMWF_PASSWORD='zzzz'
user@local $ export TSH_EXEC='tsh'
user@local $ export TSH_PROXY='jump.ecmwf.int:443'
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Environment variable [ECMWF_USERNAME] found. Overriding...
INFO - Environment variable [ECMWF_PASSWORD] found. Overriding...
INFO - Environment variable [TSH_EXEC] found. Overriding...
INFO - Environment variable [TSH_PROXY] found. Overriding...
INPUT - OTP Token:
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443]
... |
...
- tsh_exec - if
tsh
is on the system PATH, this can be left out the configuration file as the default is tsh
- tsh_proxy - this can be left out the configuration file as the default is
sheljump.ecmwf.int:443
- username - will be prompted
- password - will be prompted
- token - will be prompted
Code Block |
---|
language | bash |
---|
title | Login Without pre Configurations |
---|
|
user@local $ python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Configuration file not found [~/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INFO - Username is empty...
INPUT - ECMWF username: uid
INFO - Password is empty...
INPUT - ECMWF password:
INPUT - OTP Token:
INFO - Starting [tsh login --browser=none --proxy=jump.ecmwf.int:443]
... |
Info |
---|
This module will always prompt the user if some credential is missing. |
Troubleshooting
If you want to enable DEBUG, run into problems, enabling DEBUG might be useful to get more information regarding a the failure, just . Just set the environment variable DEBUG
to True
:
Code Blocknoformat |
---|
|
user@local $ DEBUG=True python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token:
DEBUG - Loaded Configuration: {"token": "xxxxxx", "username": "uid", "password": "xxxxxxxx", "tsh_exec": "/usr/local/bin/tsh", "tsh_proxy": "jump.ecmwf.int:443"}
INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=jump.ecmwf.int:443]
DEBUG - Setting User-Agent: {'User-Agent': 'TeleportBrowserlessLogin/1.0.0 (Linux-5.4.72-microsoft-standard-WSL2-x86_64-with-glibc2.31) Python/3.9.5'}
DEBUG - Starting new HTTP connection (1): 127.0.0.1:42387
DEBUG - http://127.0.0.1:42387 "GET /fbbeee7d-dfc3-4b7b-a75a-830f48980d2e HTTP/1.1" 302 309
DEBUG - Starting new HTTPS connection (1): accounts.ecmwf.int:443
DEBUG - https://accounts.ecmwf.int:443 "GET /auth/realms/ecmwf/protocol/openid-connect/auth... HTTP/1.1" 200 5797
INFO - TeleportLoginUrlHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5654
INFO - UsernamePasswordHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5915
INFO - HIDTokenHandler finished
INFO - Login Successful
INFO - > Profile URL: https://jump.ecmwf.int:443
Logged in as: FirstName.LastName@ecmwf.int
Cluster: jump.ecmwf.int
Roles:
Logins: uid
Kubernetes: disabled
Valid until: 2021-06-07 07:28:55 +0100 BST [valid for 12h0m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty |
This module will not attempt to authenticate if the current certificates are still valid.
Code Block |
---|
language | bash |
---|
title | Login with Certificates Checks |
---|
|
user@local $ DEBUG=True python3 -m teleport.login
INFO - Current certificate [/home/uid/.tsh/keys/jump.ecmwf.int/FirstName.LastName@ecmwf.int-x509.pem] is valid until [2021-06-08 20:49:58] |
If you need to pass additional options to the tsh command use --tsh-options
Code Block |
---|
language | bash |
---|
title | Passing other options to tsh |
---|
|
user@local $ python3 -m teleport.login --tsh-options="--no-use-local-ssh-agent --insecure" |
Note |
---|
NOTE: If you have enabled TOTP for your account, that one should be used instead of the old HID Token. |