- This topic has 3 replies, 2 voices, and was last updated 2 years, 6 months ago by .
Viewing 4 posts - 1 through 4 (of 4 total)
Viewing 4 posts - 1 through 4 (of 4 total)
- You must be logged in to reply to this topic.
Home › Forums › FABRIC General Questions and Discussion › Can bastion keys not be encrypted?
I couldn’t find anything in the docs, and while there is a commented out snippet in the Hello FABRIC notebook for seeding an environment variable with the sliver key passphrase, there’s nothing for the bastion key. However, it seems that slice submission does try to use the bastion key to do some work:
/opt/conda/lib/python3.9/site-packages/fabrictestbed_extensions/fablib/node.py in execute(self, command, retry, retry_interval)
677 bastion=paramiko.SSHClient()
678 bastion.set_missing_host_key_policy(paramiko.AutoAddPolicy())
--> 679 bastion.connect(fablib.get_bastion_public_addr(), username=fablib.get_bastion_username(), key_filename=fablib.get_bastion_key_filename())
680
681 bastion_transport = bastion.get_transport()
After which is quickly fails with AuthenticationException: Authentication failed.
. Is there a similar environment variable for bastion passphrases, or do I just have to leave the key unencrypted all the time?
The last section of the first cell of any example notebook has the following commented out. Uncomment it or set FABRIC_SLICE_PRIVATE_KEY_PASSPHRASE in anyway you wish.
# If your slice private key uses a passphrase, set the passphrase
from getpass import getpass
print('Please input private key passphrase. Press enter for no passphrase.')
os.environ['FABRIC_SLICE_PRIVATE_KEY_PASSPHRASE']=getpass()
Soon we will update FABlib to allow you to set these directly but for now you just need to set the env var.
As I said in my original post, that only works for the slice key. There is a FABRIC_BASTION_KEY_PASSWORD defined in AbcFabLIB, but no one actually uses it, so it seems like you have to strip the bastion key to make post_boot_config
work.
Ah, I didn’t read carefully enough. We will need to add that in the next version. I will add that to the list.
thanks,
Paul