Re: Regarding feature "Option to skip Password-Dialog for identity file"

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Akshay Joshi <[email protected]>
To: Aditya Toshniwal <[email protected]>
Cc: Dave Page <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: Regarding feature "Option to skip Password-Dialog for identity file"
Date: Tue, 30 Sep 2025 13:07:31 +0530
Message-ID: <CANxoLDfJCK34PWAz_Pu-zSPfXZHcRwvPFH+xBptTKPY8KPUEuA@mail.gmail.com> (raw)
In-Reply-To: <CAM9w-_=EkE2s=Pb7LSZnT4mC6QDOC7BLORhj_FiXq7Hh5ZMQnA@mail.gmail.com>
References: <CANxoLDch_B=O+zYcOL9=WMabnif8TRe-bxEbCwtkiZ0XXhHF5g@mail.gmail.com>
	<CAM9w-_nQoD0WwEWwGaWCKkR1k6R+jpJdyFHSwp8RnvocMt9CBQ@mail.gmail.com>
	<CANxoLDcqZzUp1fG5Y_ovDv4wGPj_JrZAALQ0ArAWg4vL+yCEWg@mail.gmail.com>
	<CAM9w-_kQNzh7kBJuAftKsz9N=q8mgsuWCRWi6rEeZ8XaNpsudw@mail.gmail.com>
	<CANxoLDfbDmj9NcKeH0+bnvXSn3rxLkAZHE65r=Cx+72hfmbnUg@mail.gmail.com>
	<CAM9w-_=ChSv6-wqhsKeGk5PdzEJ-4=J-0m1kEq6U8ULU58hHKA@mail.gmail.com>
	<CANxoLDcfEe-UfSfwkSVuC3YLT3wTPac+Vat5SQKaY8MeOotonA@mail.gmail.com>
	<CAM9w-_=EkE2s=Pb7LSZnT4mC6QDOC7BLORhj_FiXq7Hh5ZMQnA@mail.gmail.com>

On Tue, Sep 30, 2025 at 11:56 AM Aditya Toshniwal <
[email protected]> wrote:

> Hi Akshay,
>
> On Tue, Sep 30, 2025 at 11:50 AM Akshay Joshi <
> [email protected]> wrote:
>
>>
>>
>> On Tue, Sep 30, 2025 at 11:41 AM Aditya Toshniwal <
>> [email protected]> wrote:
>>
>>> Hi Akshay,
>>>
>>> On Tue, Sep 30, 2025 at 11:36 AM Akshay Joshi <
>>> [email protected]> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Sep 30, 2025 at 11:29 AM Aditya Toshniwal <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi Akshay,
>>>>>
>>>>> Even if you show the password dialog for the first time, the above
>>>>> scenarios are applicable.
>>>>> For the context of showing the password prompt first time or not - I'm
>>>>> suggesting we try first and then show the password prompt.
>>>>>
>>>>
>>>>    I tried that implementation, but what if the user doesn’t want a
>>>> password prompt at all when the identity file has no password? Do you think
>>>> the solution you provided fully meets the user’s requirements?
>>>>
>>> It will work the same as the existing flow. Users can proceed without
>>> entering any password.
>>>
>>
>>    That’s exactly what the user doesn’t want. The feature request has a
>> clear subject line: *“Option to skip Password-Dialog for identity file.”*
>> Similar requests have been raised by other users in the past, which we
>> closed as duplicates.
>>
> The request is to skip the password initially when connecting if an
> identity file is used. Subsequent prompts cannot be avoided if the
> connection fails.
> Later this can be improved further in future once sshtunnel provide more
> details.
>
I’m not convinced by this solution. Could you explain what issues you see
with the approach I proposed? To me, it seems simple: if a user has an
identity file without a password, disable the prompt; if the identity file
has a password, enable the prompt. Straightforward.
I’ll wait for Dave or others to share their thoughts on this.

>
>>>>> On Tue, Sep 30, 2025 at 11:16 AM Akshay Joshi <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi Aditya,
>>>>>>
>>>>>> I already mentioned that I tried the same solution you suggested, but
>>>>>> there are a few combinations where it’s unclear when exactly we should
>>>>>> prompt for the tunnel password. For example, assuming an SSH tunnel with an
>>>>>> identity file that does not have a password:
>>>>>>
>>>>>>    1.
>>>>>>
>>>>>>    When a user connects to the server for the first time, the
>>>>>>    password dialog for the database server appears if the password has not
>>>>>>    been saved. If the user enters the wrong password, the error we receive is
>>>>>>    “SSHTunnel failed to create.” In this case, it’s unclear whether we should
>>>>>>    prompt for the tunnel password or not.
>>>>>>    2.
>>>>>>
>>>>>>    If the SSH tunnel fails to create for reasons other than
>>>>>>    authentication, the error from the sshtunnel library is not descriptive
>>>>>>    enough. Again, we don’t know whether prompting for the password is
>>>>>>    appropriate.
>>>>>>
>>>>>> Suppose we always prompt for the password after a connection attempt.
>>>>>> In that case, the original issue remains; users don’t want to see a prompt
>>>>>> if an identity file without a password is provided.
>>>>>>
>>>>>> That’s why I believe the solution I proposed is the simplest and most
>>>>>> user-friendly: if users don’t want to be prompted, they can simply disable
>>>>>> the prompt option from the server dialog.
>>>>>>
>>>>>> On Tue, Sep 30, 2025 at 10:33 AM Aditya Toshniwal <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hi Akshay,
>>>>>>>
>>>>>>> How about we prompt for password irrespective of what is the error
>>>>>>> from sshtunnel library?
>>>>>>> Try to connect without a password for identity file based, if any
>>>>>>> error comes then ask for password along with displaying the error message.
>>>>>>> No need to bother what the error is about.
>>>>>>>
>>>>>>> On Mon, Sep 29, 2025 at 7:27 PM Akshay Joshi <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Dave/Hackers,
>>>>>>>>
>>>>>>>> I am working on the feature "Option to Skip Password Dialog for
>>>>>>>> Identity File" #6996
>>>>>>>> <https://github.com/pgadmin-org/pgadmin4/issues/6996;.
>>>>>>>>
>>>>>>>> I initially tried implementing it so that the tunnel password would
>>>>>>>> not be requested upfront, and would only be prompted on error. However, the
>>>>>>>> *sshtunnel* library currently returns a generic error message, for
>>>>>>>> which I have created an issue on the SSHTunnel GitHub repository
>>>>>>>> #305 <https://github.com/pahaz/sshtunnel/issues/305;.
>>>>>>>>
>>>>>>>> This approach introduces multiple scenarios for when to prompt for
>>>>>>>> the tunnel password, making the code more complex and harder to maintain.
>>>>>>>>
>>>>>>>> *Proposed solution:*
>>>>>>>> Add a new switch *"Prompt for password?"* in the server dialog
>>>>>>>> under the *SSHTunnel* tab. By default, the switch is set to *false*
>>>>>>>> and is enabled only when the authentication method is *Identity
>>>>>>>> File*. See the screenshot below for reference.
>>>>>>>> [image: Screenshot 2025-09-29 at 7.12.17 PM.png]
>>>>>>>>
>>>>>>>> Thoughts/suggestions?
>>>>>>>>
>>>>>>>>
>>>>>>>> Akshay Joshi
>>>>>>>>
>>>>>>>> Principal Engineer | Engineering Manager | pgAdmin Hacker
>>>>>>>>
>>>>>>>> enterprisedb.com
>>>>>>>>
>>>>>>>> *  Blog*: https://www.enterprisedb.com/akshay-joshi
>>>>>>>> *  GitHub*: https://github.com/akshay-joshi
>>>>>>>> *  LinkedIn*: https:// <http://goog_373708537;
>>>>>>>> www.linkedin.com/in/akshay-joshi-a9317b14
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thanks,
>>>>>>> Aditya Toshniwal
>>>>>>> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
>>>>>>> <https://www.enterprisedb.com/;
>>>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Thanks,
>>>>> Aditya Toshniwal
>>>>> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
>>>>> <https://www.enterprisedb.com/;
>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>>
>>>>
>>>
>>> --
>>> Thanks,
>>> Aditya Toshniwal
>>> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
>>> <https://www.enterprisedb.com/;
>>> "Don't Complain about Heat, Plant a TREE"
>>>
>>
>
> --
> Thanks,
> Aditya Toshniwal
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
> "Don't Complain about Heat, Plant a TREE"
>


Attachments:

  [image/png] Screenshot 2025-09-29 at 7.12.17 PM.png (138.4K, 3-Screenshot%202025-09-29%20at%207.12.17%E2%80%AFPM.png)
  download | view image

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Regarding feature "Option to skip Password-Dialog for identity file"
  In-Reply-To: <CANxoLDfJCK34PWAz_Pu-zSPfXZHcRwvPFH+xBptTKPY8KPUEuA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox