Ask for SSH password using getpass

[jan-janssen]

No description provided.

[niklassiemer]

Code changes seem to enable the getpass functionality, however, how often is one asked to provide the passwords? I really think it is a major security flaw to have the ssh password directly stored as plain text...

[jan-janssen]

Code changes seem to enable the getpass functionality, however, how often is one asked to provide the passwords? I really think it is a major security flaw to have the ssh password directly stored as plain text...

The password is only required when the connection is opened, so when the first job submitted the password is required but afterwards in the same notebook other jobs use the same connection.

[niklassiemer]

So, if someone is developing something, it might out to be really annoying due to multiple kernel restarts... However, they could also use a control master outside of pyiron to hold up the connection and just use that all the time.

Would you agree to remove the possibility to store the plain text password in the config file altogether? Storing it this way most certainly violates the terms of usage for every HPC system...

I will try this setup once with my control master in the .ssh/config - it might be that the second attempt runs without any problem.

[jan-janssen]

So, if someone is developing something, it might out to be really annoying due to multiple kernel restarts... However, they could also use a control master outside of pyiron to hold up the connection and just use that all the time.

Control master is not yet officially supported by paramiko: paramiko/paramiko#852

Would you agree to remove the possibility to store the plain text password in the config file altogether? Storing it this way most certainly violates the terms of usage for every HPC system...

I do not think that pysqa should introduce this restriction, as there are still use cases where a fully automated authentication is required. Still I agree that pysqa should provide the user with options to also their password manually when this is required by the security policies of the computing center. This functionality is introduced with this pull request. That is why I would like to merge it soon and release a new pysqa version.

I will try this setup once with my control master in the .ssh/config - it might be that the second attempt runs without any problem.

[niklassiemer]

I agree, the functionality to not put a password is implemented and I am also ok, with pysqa not restricting the usage of a stored password altogether.

When we document this, I would add a disclaimer that this is a possible security risk and one should check the policies of the target system.

[jan-janssen]

When we document this, I would add a disclaimer that this is a possible security risk and one should check the policies of the target system.

Yes, I added an issue to extend the documentation #264 - unfortunately currently the remote submission only works with pyiron_base so this needs some more generalisation for the next minor release 0.2.0.