Per-user/host password memory (was: Possible issue in password memory)

[bitprophet]

Description

This may only occur when one switches out the user to connect as in the middle of a session (by changing env.host_string), but a successful connection password is not carried over for use as a sudo password (it's automatically tried and then fails). See what's up and figure out if it's fixable without moving to a more serious per-user/host memory setup as seen in some other ticket.

---

Originally submitted by Jeff Forcier (bitprophet) on 2010-07-14 at 12:50pm EDT

Relations

• Related to Test server does not shut down cleanly #198: Test server does not shut down cleanly
• Related to Better in-thread exception handling #204: Better in-thread exception handling
• Related to Password memory edge case: passphrase vs password #213: Password memory edge case: passphrase vs password
• Related to Improved prompt detection and passthrough #7: Improved prompt detection and passthrough
• Related to In some situations, pressing Enter does *not* reuse the previous password #97: In some situations, pressing Enter does not reuse the previous password

---

Closed as Done on 2010-08-06 at 09:08pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Once again this has turned into a "test trivial, support for writing test nontrivial" sort of ticket. I've added authentication handling of a sort to the server, insofar as it can return AUTH_FAIL if not given the right info, and the ability for tests to control whether pubkey is allowed or not.

However, the real problem is that on a real SSH server, >1 transport can be opened at once, e.g. two different authentication connections for two different users. On this test server that's not currently possible, so the second connection attempt dies after a timeout is reached.

Need to update the test server to do whatever real servers do w/r/t threading or multiprocessing, I fear. Unsure how this will affect the current (kind of crappy) methods of controlling the test server, e.g. the use of Event objects to determine when the server thread should die, and now whether public key access is allowed.

This may necessitate a return to the drawing board re: one server process spin-up per test / code block, I'm not sure. Hopefully not.

---

on 2010-07-16 at 04:13pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Used SocketServer but had to backport the Python2.6 version since the 2.5 version is braindead re: stopping the server.

It appears to work now (though my test still fails for some reason, hopefully something simple) though at least one of the processes/threads sticks around for a while afterwards, insofar as two test runs concurrently will cause the second one to get a "oh god port still in use" error. Have not checked yet to see if that is related to timeouts or what.

---

on 2010-07-20 at 05:56pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Note also that something -- hopefully the same issue causing sockets to not disconnect on my system -- causes fab test to hang entirely at the end of the run on Ubuntu 10.04 (but not on 8.04 or Leopard).

---

on 2010-07-21 at 12:57pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Interesting, running the entire test suite makes all tests pass, but running just the network tests causes that password-memory test to fail as mentioned above. (Not actually fail, just warn, but that indicates the test needs more work.)

---

on 2010-07-22 at 09:57am EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

While working on the test, noticed that connection authentication doesn't have the same "3 strikes" behavior as real SSH; I assume because the ParamikoServer.check_auth_password method I wrote returns AUTH_FAILED after a single test. Unsure if I'm supposed to be implementing 3-strikes style stuff inside that method or what; will poke around.

The result of the current behavior is that a new connection is spun up for each password retry (and the previous one does not close right away either), so not only is there no 3 strikes, but a whole bunch of threads end up opening.

Finally: need a way for the tests to send passwords down automatically instead of prompting the (testing) user. Joy!

---

on 2010-07-22 at 10:42am EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Well, test still needs expect-like behavior (#177) to work right, but the actual issue is identified now I think -- it's #97. As I read it, the history goes like this:

• Beginning of time: Started out by always overwriting env.password with any entered password
• Later: Changed the behavior to only overwrite env.password if it's empty
• In In some situations, pressing Enter does *not* reuse the previous password #97: Reverted to the previous behavior (always overwrite env.password)
• Sometime after that: Reverted again to only overwriting if empty

Clearly there's no "right" way to do this except to have per-user/host combo password memory:

• If one always overwrites, then a series of connections that looks like user1 user2 user2 user1 will require you to (re)enter passwords 3 times (1st user1, user2, last user1).
  • However, the most recently entered password is always the one that is tried at the next prompt, which lines up with what the "press Enter for previous password" implies.
  • However however, that "press Enter" behavior doesn't even make sense in this scenario! (Since Fabric automatically tried that password and it didn;t work, which is why it's prompting you now.)
• If one only fills env.password once, then the first password entered is always the one re-tried automatically and used when you press Enter.
  • This is even more confusing! And not useful!
  • It also means that if one flubbed the original password prompt, that incorrect password is now stuck in env for the duration of the run (which is VERY frustrating).

I think that given all the above, and given user expectations, the most sensible thing is to update env.password to be a dict instead of a string, and to do away with the "press Enter to re-use" entirely as that only seems to further confuse things now that the stored password is tried automatically.

Thought there was a ticket for that, but not seeing it, unless it's in another ticket and not using the word "password" or "auth" anywhere. So this is now it!

---

on 2010-07-22 at 01:06pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Moving the test server bug about shutdowns into #198.

---

on 2010-07-22 at 01:50pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

I'm a maroon, #177 isn't actually what I need, just need to mock out prompt_for_password.

---

on 2010-08-01 at 01:21pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Thinking that we can continue supporting env.password but just use it as the default value when a lookup in the per-host/user password dict misses. This way the commonly advertised/used methodology of setting env.password at module level won't break right away.

---

on 2010-08-01 at 01:54pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Contrasting thought to above: using a single, default/fallback password cache will still result in extraneous "bad password" errors, in the 2-user scenario:

1. user1 connects, password is prompted for, then cached as the default [which was empty] as well as the user1-specific password
2. user2 connects, and the default password, which is user1's password, is automatically tried -- and fails
3. user2 is prompted for a password, due to the above failure, and that result is cached as user2's password only
4. user2 connection is retried with this new password, and succeeds
5. Then user2 may e.g. sudo and their user-specific password will be auto-tried, and should succeed

While this does not result in actual process abortion, and while the user being prompted for user2's password will always have to occur, it's still both an ugly display error, and may result in specious log entries on the remote end (as well as using up one of the usual three "strikes"). So, it's not awful, but it's an argument against using a default password cache at all.

Without one, the simple base case would require a user doing something like `env.passwords['my username'] = 'my password'. I think this is another argument for an OO approach to host metadata, honestly.

Note also that the last step above is also where the current implementation causes outright problems instead of just noisy "errors". The "fills in once and is never overwritten" one-password cache is auto-tried every time, so the "connect as user1, connect as user2, sudo as user2" process requires not one but two manual entries of user2's password.

---

on 2010-08-01 at 09:09pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Have test working semi well, insofar as I figured out how to restructure it to assert what I needed, namely that prompt_for_password should NOT be called during user2's sudo call.

However, the Fudge exception raise that should be causing the test to fail doesn't actually cause failure -- things just hang around. The exception raises but only in the output handler thread (which I assume terminates) and the other threads just sit around until Ctrl-C or similar is invoked. This is true in normal non-test usage as well, so it's something that needs fixing anyway. Say hi to #204.

---

on 2010-08-01 at 10:00pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Think I have the test ironed out, but AS USUAL something else has cropped up, namely env dict bleed between tests is starting to screw a number of them up (now that we're using env.password and env.passwords differently).

Started turning the test_network.py suite into a class so I can have per-test setup/teardown; that's bringing its own problems that now need to be fixed. Ugh.

---

on 2010-08-04 at 11:16pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Once tests work, last step is to refactor the env.password/env.passwords updating, right now it's copypasta'd.

---

on 2010-08-04 at 11:18pm EDT

[bitprophet]

Jeff Forcier (bitprophet) posted:

---

Got class based tests, per-test setup/teardown working (deepcopy to the rescue...) and now the test suite passes.

However, when trying to force a fail on the test for this ticket, I found that it still fails correctly, but then a later test locks up, so clearly some state or thread is causing issues still. Will investigate.

---

on 2010-08-05 at 04:38pm EDT