[erlang-patches] EEP Light: Option to override private key lookup when using Erlang ssh client
Vipin Nair
swvist@REDACTED
Mon Nov 9 19:58:58 CET 2015
Hello Hans,
> You seem unaware of that both the client and the server get the keys
> from callbacks defined by the ssh_client_key_api and the
> ssh_server_key_api. The option key_cb defines the module to use for
> ssh:connect or ssh:daemon.
> [.....]
>
> See
> http://www.erlang.org/doc/man/ssh_client_key_api.html
> http://www.erlang.org/doc/man/ssh_server_key_api.html
I am aware of this but it is very limited and will not fit my usecase. Let me
give you an example of my usecase and demonstrate the limitation of the above
API:
I have to connect to hosts `host1` and `host2` as user `foo`. I have the private
key corresponding to each user/host pair in a database. For simplicity sake,
let's assume I can call a named process (PRIV_KEY_SERVER) that will return the
private key data for a particular user/host pair. Something like:
{ok, PrivKey} = gen_server:call(PRIV_KEY_SERVER, {get_priv_key, User, Host}).
Let's say we have a module(KeyCB below) that implements the ssh_client_key_api.
The definition could look like:
KeyCB:user_key(Algorithm, ConnectOptions) ->
{ok, PrivKey} = gen_server:call(PRIV_KEY_SERVER,
{get_priv_key, User, Host}).
This function cannot be implemented because I have no way to get the value of
`Host`. The the ssh:connect/3,4 options that are passed as `ConnectOptions` to
user_key/2 do have that value.
Now:
* I do not have the host name available and since host names need not be unique
across machines, I have no way to get the private key corresponding to a user
*and* a particular host from, say, a database.
* ssh:connect/3,4 validates the connect options so we cannot just add an extra
{host, "[HOSTNAME]"} to the connect options and get around the above
limitation.
* In my opinion, calling a database (or a named process like in the example
above) from a module implementing ssh_client_key_api creates a high level of
coupling that I would want to avoid when possible. Pragmatic way to do this
would be:
USER_INPUT -> FETCH_RELEVANT_DATA -> CREATE_SSH_CONN -> POST_CONNECT_STUFF
This flows helps with error handling better. Let's say the named process dies
for some reason, I do not wish to handle those kinds of error in my module
implementing ssh_client_key_api. I want to keep external (Non SSH) IO
elsewhere.
--
Regards,
Vipin
More information about the erlang-patches
mailing list