davido912 opened a new issue #10051: URL: https://github.com/apache/airflow/issues/10051
Relating to the SSH Hook stored in airflow/providers/ssh/hooks/ssh.py. At the moment, the hook offers two ways of authenticating the connection. The first, reading the private key from file and if it is decrypted, the password will be passed to the connect function (the core paramiko one) and would be used as a passphrase there (since paramiko's connect states that if passphrase is none, and password is not none - use password to decrypt). The second, ingesting a string containing the private key, casting it to be a file object with StringIO. The private key is taken from the extra JSON. However, this method does not offer a way of decrypting the key with a passphrase. This results in connections failing in cases of decrypted private key and defaults to using only a private key path, which is unfortunate in cases of wanting to leverage secrets for example as a backend that stores the private key in a URI. I was thinking about a way to solve this, however, not quite sure if putting the connection password for passphrase would be the way to go. And not sure if security wise for the users, putting the passphrase in the extra json is secure by itself. I'm putting this here up for discussion, because it basically renders one way of using this hook as completely irrelevant. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
