You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Relating to the SSH Hook stored in airflow/providers/ssh/hooks/ssh.py.
At the moment, the hook offers two ways of authenticating the connection. The first, reading the private key from file and if it is decrypted, the password will be passed to the connect function (the core paramiko one) and would be used as a passphrase there (since paramiko's connect states that if passphrase is none, and password is not none - use password to decrypt).
The second, ingesting a string containing the private key, casting it to be a file object with StringIO. The private key is taken from the extra JSON. However, this method does not offer a way of decrypting the key with a passphrase. This results in connections failing in cases of decrypted private key and defaults to using only a private key path, which is unfortunate in cases of wanting to leverage secrets for example as a backend that stores the private key in a URI.
I was thinking about a way to solve this, however, not quite sure if putting the connection password for passphrase would be the way to go. And not sure if security wise for the users, putting the passphrase in the extra json is secure by itself.
I'm putting this here up for discussion, because it basically renders one way of using this hook as completely irrelevant.
This discussion was converted from issue #10051 on June 03, 2022 10:39.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Relating to the SSH Hook stored in airflow/providers/ssh/hooks/ssh.py.
At the moment, the hook offers two ways of authenticating the connection. The first, reading the private key from file and if it is decrypted, the password will be passed to the connect function (the core paramiko one) and would be used as a passphrase there (since paramiko's connect states that if passphrase is none, and password is not none - use password to decrypt).
The second, ingesting a string containing the private key, casting it to be a file object with StringIO. The private key is taken from the extra JSON. However, this method does not offer a way of decrypting the key with a passphrase. This results in connections failing in cases of decrypted private key and defaults to using only a private key path, which is unfortunate in cases of wanting to leverage secrets for example as a backend that stores the private key in a URI.
I was thinking about a way to solve this, however, not quite sure if putting the connection password for passphrase would be the way to go. And not sure if security wise for the users, putting the passphrase in the extra json is secure by itself.
I'm putting this here up for discussion, because it basically renders one way of using this hook as completely irrelevant.
Beta Was this translation helpful? Give feedback.
All reactions