[Swift-devel] askpass for command line ssh provider?

Michael Wilde wilde at mcs.anl.gov
Mon Jan 16 10:44:30 CST 2012



----- Original Message -----
> From: "Jonathan Monette" <jonmon at mcs.anl.gov>
> To: "Michael Wilde" <wilde at mcs.anl.gov>
> Cc: "Mihael Hategan" <hategan at mcs.anl.gov>, "Swift Devel" <swift-devel at ci.uchicago.edu>
> Sent: Monday, January 16, 2012 10:31:21 AM
> Subject: Re: [Swift-devel] askpass for command line ssh provider?
> I always thought the solution to the OTP situation was to set up a
> master channel. Inside a portal this is easy. The portal knows which
> sites are used and which sites require a OTP. The portal can then set
> up a master channel. For the situation for the agents, the portal can
> always create the agent itself after prompting for a password once
> can't it? In both scenarios the portal creates the mechanisms to limit
> the number of passwords that are required.

I think I agree with this - its similar to what I wrote below.

Im not sure I fully understand yet when you need a master channel and when you want an agent.  I *think* that you want a master channel whenever multi-hop SSH is needed, and an agent in the rest of the cases.  There also might be some subtleties related to the various forward and reverse tunnels we've needed to set up for various coaster configurations in clouds and other firewalled environments.

> For Swift, I do not think that these solutions work since Swift needs
> to be more general(maybe creating agent approach but that won't work
> for OTP situations).

Can you clarify what you mean here? It seems that are 2 issues to work through:

- can we and should we create a useful set of manually-executable scripts for Swift users that encapsulate the various useful ssh configurations and incantations?

I hope the answer to this is "yes" to both.

- Should the swift command invoke any of these scripts automatically from the ssh-cl provider (or some other point in processing)?

I am less sure about the answer to this. I think the best approach is to initially make this manual, and show the user how to create wrapper scripts around the swift command this set up the necessary ssh access. Or possible, command line options?  Or a .swift-ssh-setup rc file run by the swift command?

- Mike

> On Jan 16, 2012, at 10:07 AM, Michael Wilde wrote:
> 
> > Was: Re: [Swift-devel] command line ssh provider...
> >
> > After a bit more thought, it seems that enabling the ssh-cl provider
> > to prompt for passwords is perhaps not a required feature.
> >
> > We will for example need to access many systems that needs a one
> > time password.
> >
> > But its likely that such mechanisms need to be set up outside of
> > Swift (or at least outside the main line of the provider), using
> > agents or master channels, else the user would get multiple password
> > prompts per endpoint.
> >
> > For now, we can do this outside of Swift proper (ie in the various
> > portals, ideally via scripts that we package in swift/bin which can
> > be used by both command line users and by portal code).
> >
> > Later we can consider if its reasonable to make the ssh-cl provider
> > smart enough to invoke such channel or agent setup scripts
> > automatically when needed.
> >
> > - Mike
> >
> >
> >
> > ----- Original Message -----
> >> From: "Mihael Hategan" <hategan at mcs.anl.gov>
> >> To: "Michael Wilde" <wilde at mcs.anl.gov>
> >> Cc: "Ben Clifford" <benc at hawaga.org.uk>, "Swift Devel"
> >> <swift-devel at ci.uchicago.edu>
> >> Sent: Friday, January 13, 2012 6:09:18 PM
> >> Subject: Re: [Swift-devel] command line ssh provider...
> >> On Fri, 2012-01-13 at 18:00 -0600, Michael Wilde wrote:
> >>> Another good test is to access eg surveyor, and intrepid using an
> >>> OTP via ssh-cl.
> >>
> >> A word of caution there: if the ssh client asks for the password on
> >> the
> >> command line (instead of through ssh-askpass or some other gui),
> >> things
> >> won't work very well. It might be possible to add some detection
> >> for
> >> that in the provider, but that's not a high priority given that
> >> there
> >> is
> >> a workaround (askpass).
> >
> > --
> > Michael Wilde
> > Computation Institute, University of Chicago
> > Mathematics and Computer Science Division
> > Argonne National Laboratory
> >
> > _______________________________________________
> > Swift-devel mailing list
> > Swift-devel at ci.uchicago.edu
> > https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-devel

-- 
Michael Wilde
Computation Institute, University of Chicago
Mathematics and Computer Science Division
Argonne National Laboratory




More information about the Swift-devel mailing list