[Twisted-Python] Five Crazy Ideas to Start Your Week

Tommi Virtanen tv at twistedmatrix.com
Sun Oct 13 13:29:40 EDT 2002 

On Wed, Oct 09, 2002 at 01:44:14PM -0500, Glyph Lefkowitz wrote:
> > > These URLs need to be able to represent transport mechanism (TCP? UNIX socket?
> > > SSL? Weird firewall-tunneling stuff?)
> 
> > 	"Talk to subprocess that runs this command to connect to the other end"
> > 	("ssh remotehost pbserver", "ssh remotehost
> > 	connect-stdinout-to-unix-socket /path/socket")
> 
> > 	And yes, I may want that even after Twisted has a fully working
> > 	SSH implementation. For rex :)
> 
> I don't quite get what you're talking about here.  You want the URLs to be
> shell command-lines? :)

	Let's try with an example. My IMAP mail fetcher talks to my
	IMAP server by SSHing in and running a certain command.
	Now, s/IMAP/PB/, and I still want that to be easy. The only
	choices I see are splitting out the "connection establishment"
	from the software that talks PB
	(e.g. http://cr.yp.to/proto/ucspi.txt), or allow me to say
	"open connection there by running this command and talking to
	it".

> > >     pb://pyramid/identity:password@service#perspective
> > 	Eww. Passwords in URLs is baaad. Because users like to enter URLs on
> > 	command line.
> 
> > 	I'd much rather see an explicit "--password-file filename" and
> > 	"--password-fd n".
> 
> Yes, and smart users will use that, for the most part.  Still, you need a way
> to represent simple authentication as part of a URL.  Sometimes the URLs
> themselves will be secret and the authentication information will be a swiss
> number or something.  E does everything through exchange of URLs, and it's
> pretty secure.

	So, you need to specify "ask me this password with this mechanism",
	e.g. get the first password from fd 5 and second from fd 6. How
	does that fit in the URL, or does it?

> > > Public-key authentication mechanism, using the same identity name.  Connection
> > > over SSH transport (sshkey auth only available this way).
> > > 
> > >     pb-ssl://pyramid/cert$identity@service#perspective
> > > 
> > > PB over SSL, using certificate auth.
> > > 
> > >     pb://pyramid/this/that/the-other/my-service#perspective
> 
> > 	Hmm. Idea. Allow one to specify when the server is trusted.  "Connect
> > 	to server X if its public key has fingerprint F."  http://www.fs.net/
> 
> Any proposals for how to implement that?

	Similar to what SSH already does; stores the fingerprint in a file.
	Use the one given in the URL just like it would have been read from
	known_hosts. Same can apply for SSL, etc.

-- 
:(){ :|:&};:

More information about the Twisted-Python mailing list