NoSQLBooster for MongoDB (formerly MongoBooster)
New Topic
NoSQLBooster for MongoDB (formerly MongoBooster)TopicIdea
Properties
Category Uncategorized

Call OpenSSH client directly instead of embedded SSH one

aeris shared this idea 8 years ago
Under Consideration

Seems mongobooster uses built-in SSH client.


This leads to some problems or missing features :

  • No usage of already existing ssh_config file
  • No support for bounce server
  • No support for SSH agent (for keys protected or embedded into smartcard and to avoid password storage inside mongobooster)
  • No support for custom SSH configuration/client (eg https://github.com/aeris/ssh-ident for identity separation)
  • No support for existing SSH multiplexing (ControlMaster)
  • More generally, no support of all built-in OpenSSH features not currently ported to MongoBooster (ECDSA/ED25519 host & client key type, CHACHA20+POLY1305 encryption, Curve25519 key exchange, SSHFP fingerprint support…)


Will be better to have an option to run directly official SSH client (ideally from PATH lookup for ssh-ident compatibility) instead of embedded one to have all those features needed to access some mongodb production server.

5 I like this idea 0  

Replies (3)

photo
1
blaubaer 2 years ago

Is there any progress on this? The current implementieren is not really usable as on the one hand more and more people using more modern SSH keys (which are currently not supported by this client) and also SSH agents are not supported. That's odd. :-(

Reply
photo
1
qinghai (support@nosqlbooster.com) 2 years ago

Thank you for your feedback.

Could you list which modern SSH keys are not supported?

NoSQLBooster V7.0 uses the SSH2 1.3.0. All support keys, https://github.com/mscdex/ssh2/tree/v1.3.0#client-methods

And, Can you tell me which mongo GUI supports SSH agents? For reference and learning

Reply
photo
1
blaubaer 2 years ago

Hi,

sure.


Could you list which modern SSH keys are not supported?

I've a key which is a ed25519 and this one is rejected with the following message: 

SSH Error:Cannot parse privateKey: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT","stack":"Error: Cannot parse privateKey: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT


I tested it in several ways. But it doesn't work.


With alternative applications like DataGrip 2021.3.4 it works either with the SSH agent but also with the key I used with NoSQLBooster 7.0.8.


Maybe some background:

  1. OS: Windows 11 64Bit

  2. SSH Key: ed25519

  3. SSH Agent: Windows builtin Open SSH-Agent

Reply
photo
2
qinghai (support@nosqlbooster.com) 2 years ago

We have worked out a new test build to support more format. Please download and give it a try.

http://s3.mongobooster.com/download/releasesv7/nosqlbooster4mongo-7.0.10-beta.1.exe


If it still does not work, could you please give the format of your key? pem, open SSH or putty?

e.g.

-----BEGIN RSA PRIVATE KEY-----

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----END RSA PRIVATE KEY-----

photo
1
blaubaer 2 years ago

Ok, with this version it seems to work. I used regular OpenSSH ed25519 key in PEM format. Like: 

-----BEGIN OPENSSH PRIVATE KEY-----
[..]
-----END OPENSSH PRIVATE KEY-----

photo
1
blaubaer 2 years ago

Finally support for either Pageant and/or Windows Open SSH-Agent + regular Unix based Open SSH-Agent might be highly appreciated. 🙂

photo
1
qinghai (support@nosqlbooster.com) 2 years ago

Thx. Could you tell me what are the advantages of external SSH agents over built-in SSH agents?

photo
1
blaubaer 2 years ago

Could you tell me what are the advantages of external SSH agents over built-in SSH agents?

Sure! I believe the easiest way to answer this questions is to link to 2 articles which explaining this the best way I cannot do it better:

  1. https://unix.stackexchange.com/questions/72552/whats-the-purpose-of-ssh-agent#answer-72558
  2. https://smallstep.com/blog/ssh-agent-explained/

For personally the following points are important:

  1. I don't have to trust another application (like NoSQLBooster) that the whole application is 100% trustworthy. Because this application will never see my private key itself.
  2. I don't have to type in over and over again my passwords (of my private key somewhere).
  3. I don't have to remember which is the right key for the target server, because I'm (personally) have to deal with ~14 different keys. The Agent is doing that for me.
  4. Less configuration for applications, because it just works.

photo
1
Alexander Filatov 23 months ago

My private keys are kept on a hardware storage (yubikey) and cannot be exported. I have an ssh-agent that can work with the storage but can't find how to use it with NoSQLBooster.

photo
Leave a Comment
 
Attach a file