Optional passthrase when using SSH key in UI

[worksofliam]

Needed as a new connection prop

[priceaj]

If we are doing this for security, then I think SSH2 supports using an SSH agent (e.g. Pagent), which is definitely better than storing the credentials in our extension (even with secure storage). Maybe we should steer people to use that and possibly drop support for storing credentials at all?

Best practice would be to store the SSH Keys in an Agent, and have the extension retreive them from said agent as required. User/password logins should never be used, and keyboard interactive logins should definitely be turned off!!

Here is some 10 year old security advice for your delectation!

https://www.youtube.com/watch?v=_i7v7Of5UPI
https://www.youtube.com/watch?v=ougAC38QCTY

[worksofliam]

@priceaj The chances of us dropping credentials right now are very low - I think if we did that, we'd need to add a way to make it easy to generate SSH keys and get them uploaded to IBM i automatically (ssh-copy-id?)

I think what we should do in the meantime, is absolutely warn the user when they log in with a password.

You should log in using an SSH key instead. Would you like to set one up now?

Then the yes button could generate a key, upload it to the system, update their connection settings to point to the key, and then disconnect. What do you think of that?

Also, the original issue here is when using an SSH key + passphrase. Perhaps the passphrase could be a quick popup box where the user needs to enter it in every time they connect like they would when they connect thru a terminal.

[worksofliam]

@priceaj Created #475 to continue talking about automatically generating a key. Let's leave this issue for the passphrase.

[ArrowComputingTech]

Would be good to give the user the option to set up a key if they're using password to login.
Extra nice if it warned them to turn password based logins off on their server every time they log in and it's still on.

Using an agent would mitigate the need for password prompt, but yes if the key isn't found in agent, a one time entry would be appropriate.

[brandonp42]

Just an idea here - I've started using ssh certificates (with a passphrase on my CA) instead of a passphrase on my actual ssh key and signing it at login for every day with a limited validity period. This has been much more reliable for me vs using ssh agents. It would be nice if I could use that certificate with this plugin. I might look into adding this myself when I get a chance and submitting a PR.

[brandonp42]

Nevermind about the certificates, the upstream packages don't appear to support them... see mscdex/ssh2#551

[alanseiden]

In discussion with Liam:

• Server asks client for passphrase
• IBMi.ts needs event listener defined. When event triggered, show popup box asking for passphrase.