Password protection

By default the password stored in flhcli.xml is encrypted. It can be recognized by the string ENC at the very beginning of <password> element inner text. For debugging purposes it is also possible to store plain version of the password, but it must be done by manually editing the flhcli.xml file.

The encryption key is derived from information unique for the currently running operating system. That means that it is impossible to decrypt it just from the encrypted string without access to other information about the computer. However this also means that the flhcli.xml cannot be simply copied from one computer to another.

In environments with increased security requirements, the password from flhcli.xml can be ignored and it can be requested again every time the application starts. This is achieved with --ask-password global parameter.

Access profile

The application can connect with whatever user is specified in the flhcli.xml file for the device, but this user must have super_admin access profile. With any other profile (even with prof_admin) most of the commands will not work correctly.

Session transcripts

It is possible to store all SSH session input and output in the original format for troubleshooting or to validate real commands used by this utility. This is enabled with transcripts element in flhcli.xml file, which specifies the directory where session transcripts will be store. If creating config file with setup command, it automatically offers the system temporary directory.

Warning: Because the default parallel connections limit is set to 4 by setup command, there can be up to 4 files "active" at the same time. This is because each file dumps exactly one session. Also it is possible that the SSH connection breaks or is shut down due to idle timer during the command execution, in which case new transcript file will be created.

Format

The file contains JSON entries (one per line) with the timestamp, direction and SSH data. The SSH data part it compressed using gzip and encoded in base64 format.

Because it is uncomfortable to read the directly, fltcli has logs command that accepts one or more such transcript files as parameters and displays them in the same way they would appear on the SSH terminal if executed by human.

If more transcript files are specified, logs command also shows all commands in the right order they were really executed.

It also uses colorization to distuinguish directions which might be problematic when processing them with other programs, therefore it can be disabled with --no-colors global flhcli parameter.