[Twisted-Python] Five Crazy Ideas to Start Your Week
tv at twistedmatrix.com
Sun Oct 13 13:29:40 EDT 2002
On Wed, Oct 09, 2002 at 01:44:14PM -0500, Glyph Lefkowitz wrote:
> > > These URLs need to be able to represent transport mechanism (TCP? UNIX socket?
> > > SSL? Weird firewall-tunneling stuff?)
> > "Talk to subprocess that runs this command to connect to the other end"
> > ("ssh remotehost pbserver", "ssh remotehost
> > connect-stdinout-to-unix-socket /path/socket")
> > And yes, I may want that even after Twisted has a fully working
> > SSH implementation. For rex :)
> I don't quite get what you're talking about here. You want the URLs to be
> shell command-lines? :)
Let's try with an example. My IMAP mail fetcher talks to my
IMAP server by SSHing in and running a certain command.
Now, s/IMAP/PB/, and I still want that to be easy. The only
choices I see are splitting out the "connection establishment"
from the software that talks PB
(e.g. http://cr.yp.to/proto/ucspi.txt), or allow me to say
"open connection there by running this command and talking to
> > > pb://pyramid/identity:password@service#perspective
> > Eww. Passwords in URLs is baaad. Because users like to enter URLs on
> > command line.
> > I'd much rather see an explicit "--password-file filename" and
> > "--password-fd n".
> Yes, and smart users will use that, for the most part. Still, you need a way
> to represent simple authentication as part of a URL. Sometimes the URLs
> themselves will be secret and the authentication information will be a swiss
> number or something. E does everything through exchange of URLs, and it's
> pretty secure.
So, you need to specify "ask me this password with this mechanism",
e.g. get the first password from fd 5 and second from fd 6. How
does that fit in the URL, or does it?
> > > Public-key authentication mechanism, using the same identity name. Connection
> > > over SSH transport (sshkey auth only available this way).
> > >
> > > pb-ssl://pyramid/cert$identity@service#perspective
> > >
> > > PB over SSL, using certificate auth.
> > >
> > > pb://pyramid/this/that/the-other/my-service#perspective
> > Hmm. Idea. Allow one to specify when the server is trusted. "Connect
> > to server X if its public key has fingerprint F." http://www.fs.net/
> Any proposals for how to implement that?
Similar to what SSH already does; stores the fingerprint in a file.
Use the one given in the URL just like it would have been read from
known_hosts. Same can apply for SSL, etc.
More information about the Twisted-Python