Why there's no password management?

[fjcaetano]

First of all, this tool is awesome! Thank you very much! It's a life saver.

But I couldn't help myself wondering why there's no password management. Remembering all passwords from different connections is a pain and I think it could help a lot if storm could store them.

I don't know if Windows and Linux have a password management program, but Mac has the Keychain where all passwords, certificates, etc are stored. You could use one of these tools to persist the user's passwords.

[dmuth]

You should really give ssh keys a try. Here's a primer: https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Since that's long, I'll provide a TL;DR:

• On the client
  • Run ssh-keygen
  • Copy the keyfile to $HOME/.ssh/id_rsa and $HOME/.ssh/id_rsa.pub
  • chmod 700 $HOME/.ssh
  • chmod 600 $HOME/.ssh/id_rsa.*
  • Copy the id_rsa.pub key to the server you want to log into
• On the server:
  • Move that file to $HOME/.ssh/authorize
  • chmod 700 $HOME/.ssh
  • chmod 600 $HOME/.ssh/authorized_keys

From there, you can normally play around with ssh-agent and key several keys in memory. EXCEPT, with Storm, you don't need to do that. :-)

I know it's a little complicated, as I used to use passwords everywhere too. But it scales in the long run, goes great with automation (think deployments and backups), and is the standard with popular systems like AWS.

-- Doug

[fjcaetano]

I know ssh keys are safer and better, but I have access to some servers that are no mine and my access was set with passwords, not keys, and I can't change it.

[emre]

First of all, this tool is awesome! Thank you very much! It's a life saver.

thank you, happy to hear it :)

But I couldn't help myself wondering why there's no password management. Remembering all passwords from different connections is a pain and I think it could help a lot if storm could store them.

storm uses basically standart sshconfig files, and there is no support built-in for automatic logins with password authentication in ssh.

I want to make storm simple so I don't want to get out of the scope of sshconfig files.

moreover, storing passwords is always tricky since it comes with a lot of security concerns. I can't imagine a good way to implement this into storm at this time. maybe, I'm just missing something :)

I use keys as @dmuth mentioned for like 15 servers and working good.

I know ssh keys are safer and better, but I have access to some servers that are no mine and my access was set with passwords, not keys, and I can't change it.

interesting case. normally, you should be able to set your key to your user's .authorized_keys if you can login.

[fjcaetano]

moreover, storing passwords is always tricky since it comes with a lot of security concerns. I can't imagine a good way to implement this into storm at this time. maybe, I'm just missing something :)

Take a look at https://pypi.python.org/pypi/keyring and sshpass: http://sourceforge.net/projects/sshpass/

interesting case. normally, you should be able to set your key to your user's .authorized_keys if you can login.

I could do that to some servers, but there's one, specifically, where my user only has read access. I can't write/edit anything. All I can do is access the log files from webservices.

[emre]

okay, thanks for the links.

I keep this issue opened and see what I can do for next releases.

[Bengt]

Using password managers of the operating system seems to be the proper way of storing passwords, storm would give up on being a manager for the ~/.ssh/config file, because it would store configuration for SSH in more than one place. Note that the .ssh/config has support for comments so, storm could use magic comments to store passwords directly in the config file. E.g. like this:

$ storm add bengt_Bengt-Laptop:22 bengt@Bengt-Laptop:22 --password topSecret
success  bengt_Bengt-Laptop:22 added to your ssh config. you can connect it by typing "ssh bengt_Bengt-Laptop:22".
$ cat ~/.ssh/config
Host bengt_Bengt-Laptop:22
    hostname Bengt-Laptop
    user bengt
    port 22
    #storm.password: topSecret
$

As with password managers of operating systems, storm would need to wrap around ssh and pass the passwords by interacting with it (e.g. by using sshpass). So either way, storm would need to give up on being a manager for the ssh config. In turn it is probably better to go with the proper solution and use the password managers of the operating system (e.g. using pipy/keyring).

[ldusan84]

This would be a great addition. I think the tool is great, but it's of little use when you have to type passwords every time.

[emre]

I have plans and ideas (including optional password management) for taking storm out from "ssh config wrapper" scope but that requires free time which I don't have nowadays.

[emre]

closed.