Would it be desirable to have a special XML field for passwords in the CLI XML schema?
I have a use case that a CLI calls some functions via paramiko on a ssh connections and the user needs to input a password for slicer to pass as parameter to a python CLI.
I understand the some security issues arise such as logging the user password which may require a hashing scheme of some sorts. I want to hear your thought on this issue, please.
Thank you very much.
There’s a string parameter type, can you just use that?
I don’t know paramiko, but if it’s like ssh you may also have the option of putting keys in .ssh folders, which would be more secure and probably easier than entering the password all the time.
I agree. Using key or token files should be the way to go, and string or file values should work for these. Since the file path is not sensitive information, it can show up in logs.
Thanks @pieper and @lassoan.
I was thinking on a special field to use *** masking the password and doing some sort of hashing to pass to the command line interface, but I guess you are right. Using keys would be the most elegant way to solve the issue. I may create an auxiliary module designed to help the user generate keys and do a ssh-copy-id to the server before using the CLI. That way the user inputs the password momentarily and inside Slicer only. Another option will be just showing a help text to teach them how to issue ssh-keygen and ssh-copy-id
Hi guys, as you stated before, using keys is the solution to this one.
But when I use a
<file> parameter type, the user is asked to chose the ssh pub key. I wanted to make things easier for them and set a
<default> key file. Is there a way to set a default in the XML file and use something like
I guess it would need special treatment for each platform which complicates things.
If there is no way to do that, I can treat the case the user does not change the default inside the CLI, changing the variable to the actual user profile folder.
In principle it would be possible add this to the CLI mechanism if it’s not already supported (I don’t recall but I think not). But realistically the CLI mechanism is a bit hard to customize so you might be better off using a scripted. module to add some custom widgets to what the CLI generates.
Probably you can specify a default value, but I think it has to be the same for all platforms. We often use the empty value as an indication that some default/automatic value should be used. For example, specify the key file or leave the path empty for auto-detect.
If you need more fine-tuned user experience then I agree with @pieper that you can add a thin convenience GUI frontend (or implement the entire logic) as a Python scripted module.