teleport-browserless-login
This software will allow you to login to teleport and get the certificate without a browser (or X-capabilities)
Usage
Install the module from ECMWF public software repository:
Installation
user@local $ pip3 install teleport-browserless-login --user -U -i https://get.ecmwf.int/repository/pypi-all/simple
In order to install the extra certificates checks please install with the extras option certificates-check (requires the cryptography python package):
Installation
user@local $ pip3 install teleport-browserless-login[certificates-check] --user -U -i https://get.ecmwf.int/repository/pypi-all/simple
Note for Raspberry Pi users
If you get the error:
Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://www.piwheels.org/simple/teleport-browserless-login/
Comment the line extra-index-url=https://www.piwheels.org/simple from /etc/pip.conf
Check the module help:
A shell script is installed along with the package, so all the commands python3 -m teleport.login can be replaced with teleport-login
Help
user@local $ python3 -m teleport.login --help
VERSION = "1.1.3"
Environment Variables:
ECMWF_USERNAME The ECMWF Username
ECMWF_PASSWORD The ECMWF Password
TSH_EXEC The Teleport binary tsh path
TSH_PROXY The ECMWF Teleport proxy
Configuration file content example (yaml):
tsh_exec: '/usr/local/bin/tsh'
tsh_proxy: 'shell.ecmwf.int:443'
ecmwf_username: 'your_username'
ecmwf_password: 'your_password'
Usage: python -m teleport.login [OPTIONS]
Options:
--configuration PATH The path to the configuration file.
-f, --force-clean To Request a new certificate even if the current one
is valid.
-o, --tsh-options TEXT To add extra options to tsh command. e.g.: -o "--no-
use-local-ssh-agent" -o "--insecure"
--help Show this message and exit.
Using the module without arguments will prompt for the HID Token or TOTP (if configured instead) and load the default configuration file ~/.teleport-login.yaml:
Login
user@local $ python3 -m teleport.login INFO - Certificates not found or not valid anymore INFO - Loading configuration file [/home/uid/.teleport-login.yaml] INFO - Checking environment for configuration variables... INPUT - OTP Token: INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=shell.ecmwf.int:443] INFO - TeleportLoginUrlHandler finished INFO - UsernamePasswordHandler finished INFO - HIDTokenHandler finished INFO - Login Successful INFO - > Profile URL: https://shell.ecmwf.int:443 Logged in as: FirstName.LastName@ecmwf.int Cluster: shell.ecmwf.int Roles: Logins: uid Kubernetes: disabled Valid until: 2021-06-07 07:28:55 +0100 BST [valid for 12h0m0s] Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
If you want to provide a specific path for your configuration file using --configuration and you will be prompt for the HID Token:
Login with Configuration File
user@local $ python3 -m teleport.login --configuration /path/to/configuration.yaml INFO - Certificates not found or not valid anymore INFO - Loading configuration file [/path/to/configuration.yaml] INFO - Checking environment for configuration variables... INPUT - OTP Token: ...
An example of such a configuration file is:
Configuration File Example
user@local $ cat .teleport-login.yaml tsh_exec: '/usr/local/bin/tsh' tsh_proxy: 'shell.ecmwf.int:443' ecmwf_username: 'your_username' ecmwf_password: 'your_password'
You can override all configuration values by using Environment Variables:
Login with Environment Variables
user@local $ export ECMWF_USERNAME='test' user@local $ export ECMWF_PASSWORD='zzzz' user@local $ export TSH_EXEC='tsh' user@local $ export TSH_PROXY='shell-test.ecmwf.int:443' user@local $ python3 -m teleport.login INFO - Certificates not found or not valid anymore INFO - Loading configuration file [/home/uid/.teleport-login.yaml] INFO - Checking environment for configuration variables... INFO - Environment variable [ECMWF_USERNAME] found. Overriding... INFO - Environment variable [ECMWF_PASSWORD] found. Overriding... INFO - Environment variable [TSH_EXEC] found. Overriding... INFO - Environment variable [TSH_PROXY] found. Overriding... INPUT - OTP Token: INFO - Starting [tsh login --browser=none --proxy=shell-test.ecmwf.int:443] ...
If no configuration is provided the module will use default values:
- tsh_exec - if
tshis on the system PATH, this can be left out the configuration file as the default istsh - tsh_proxy - this can be left out the configuration file as the default is
shel.ecmwf.int:443 - username - will be prompted
- password - will be prompted
- token - will be prompted
Login Without pre Configurations
user@local $ python3 -m teleport.login INFO - Certificates not found or not valid anymore INFO - Configuration file not found [~/.teleport-login.yaml] INFO - Checking environment for configuration variables... INFO - Username is empty... INPUT - ECMWF username: uid INFO - Password is empty... INPUT - ECMWF password: INPUT - OTP Token: INFO - Starting [tsh login --browser=none --proxy=shell.ecmwf.int:443] ...
This module will always prompt the user if some credential is missing.
If you want to enable DEBUG, might be useful to get more information regarding a failure, just set the environment variable DEBUG to True:
Debug
user@local $ DEBUG=True python3 -m teleport.login
INFO - Certificates not found or not valid anymore
INFO - Loading configuration file [/home/uid/.teleport-login.yaml]
INFO - Checking environment for configuration variables...
INPUT - OTP Token:
DEBUG - Loaded Configuration: {"token": "xxxxxx", "username": "uid", "password": "xxxxxxxx", "tsh_exec": "/usr/local/bin/tsh", "tsh_proxy": "shell.ecmwf.int:443"}
INFO - Starting [/usr/local/bin/tsh login --browser=none --proxy=shell.ecmwf.int:443]
DEBUG - Setting User-Agent: {'User-Agent': 'TeleportBrowserlessLogin/1.0.0 (Linux-5.4.72-microsoft-standard-WSL2-x86_64-with-glibc2.31) Python/3.9.5'}
DEBUG - Starting new HTTP connection (1): 127.0.0.1:42387
DEBUG - http://127.0.0.1:42387 "GET /fbbeee7d-dfc3-4b7b-a75a-830f48980d2e HTTP/1.1" 302 309
DEBUG - Starting new HTTPS connection (1): accounts.ecmwf.int:443
DEBUG - https://accounts.ecmwf.int:443 "GET /auth/realms/ecmwf/protocol/openid-connect/auth... HTTP/1.1" 200 5797
INFO - TeleportLoginUrlHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5654
INFO - UsernamePasswordHandler finished
DEBUG - https://accounts.ecmwf.int:443 "POST /auth/realms/ecmwf/login-actions/authenticate... HTTP/1.1" 200 5915
INFO - HIDTokenHandler finished
INFO - Login Successful
INFO - > Profile URL: https://shell.ecmwf.int:443
Logged in as: FirstName.LastName@ecmwf.int
Cluster: shell.ecmwf.int
Roles:
Logins: uid
Kubernetes: disabled
Valid until: 2021-06-07 07:28:55 +0100 BST [valid for 12h0m0s]
Extensions: permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty
This module will not attempt to authenticate if the current certificates are still valid.
Login with Certificates Checks
user@local $ DEBUG=True python3 -m teleport.login INFO - Current certificate [/home/uid/.tsh/keys/shell.ecmwf.int/FirstName.LastName@ecmwf.int-x509.pem] is valid until [2021-06-08 20:49:58]
If you need to pass additional options to the tsh command use --tsh-options
Passing other options to tsh
user@local $ python3 -m teleport.login --tsh-options="--no-use-local-ssh-agent --insecure"