Withouth sshpass installed I get this error:

Usage: mccli [OPTIONS] COMMAND [ARGS]...

Error: No such command 'ssh-oidc-demo.data.kit.edu'.

Which makes sense, if you know the cause :)

Maybe adding a short "Prerequisites" section to installation.rst:

Prerequisites:
=============
Required dependencies:
- `sshpass`: This package is available on most linux distributions as `sshpass`
- `oidc-agent`: This package is available on most linux distributions as `oidc-agent` (use `oidc-agent-cli` on systems without GUI)
     

mccli --mc-endpoint http://some_url ssh hostname

is not the same as

mccli ssh --mc-endpoint http://some_url hostname

Only the second example uses the given mc_endpoint.

Solution: look into context passing for click

If the server only supports one issuer, use that without asking the user to set the oidc-agent account or pass the AT. Depends on #2.

When no AT source is specified, mccli tries to get the list of supported OPs from motley_cue and, if only one is supported, tries using that to get an AT from the oidc-agent.

When multiple OPs are supported, make the error message more informative by printing the list of supported OPs.

mccli info <token> or `mccli info
could display output just like flaat-userinfo (because then people don't need to install flaat).

But this is really just nice to have.

oidc-agent supports default accounts for each issuer.

Need to:

• minimise user interaction
• save oidc-agent configs to retrieve AT on subsequent calls

From requests v2.3, support for urllib3 v2.0 was added, which breaks mccli on systems with OpenSSL older than 1.1.1 (e.g. CentOS 7).

Fix: use older urllib3 on those systems:

pip install  --force-reinstall -v "urllib3==1.26.15"

When using a wrong hostname, the error message is:

error: Could not infer motley_cue endpoint from command. Please specify motley_cue endpoint via --mc-endpoint.

It would make sense to first check two things and report them first:

• does the hostname resolve to an IP address?
• does the resolved IP address listen on the specified port?

User should be able to find out supported issuers & authorised groups.

mccli should first try 443. If that is not available, (e.g. because the server didn't install a certificate yet) it should

• try 8080
• issue a warning that encryption is not working yet
• ask the user to continue
• continue using 8080

Inform the user in cases such as:

• assurance was not sufficient
• token expired
• ...

And give recommendations on commands to run (expired token => use oidc-agent interface directly, ...)

check if the incoming AT is longer than 1023 (or 1024?) and issue an error about it

This is a consequence of renaming mc_ssh to mccli, which was done in 3 steps:

• git repository rename
• new pypi project mccli with version 0.3.0
• new release for mc_ssh on pypi (0.3.0) that makes the project inactive, contains only info on renaming, and pulls new mccli as dependency.

The problem is that both mc_ssh (<0.3.0) and mccli contain the binary mccli. Upgrading mc_ssh to 0.3.0 first:

• installs mccli dependency, then
• removes the old mc_ssh version (0.2.9, inclduing the mccli binary), and then
• installs the new mc_ssh (0.3.0, without the mccli binary)

Consider configuration in /etc/resolf.conf or /etc/hosts

Call feudal deploy on every login instead of just get_status -> even if user already exists, user groups might need to be updated