when using cloud remote access), one has to store username/password.
If this is considered as a security risk, how can the connection be configured without using storing the username password. instead the used should be prompted when starting a remote session.
currently you have only the choice to provide credentials via user + pass, keys or certificates. They are securely stored and cannot be retrieved once stored (only changed). Also the ssh endpoints must not be externally available just internally where the agent is running, e.g. localhost on the gateway. What are the security concerns in detail?
Still this is a good idea and you can create a feature request here to add the “on request provided credentials” option to the remote access service.
The only option I see is to use the PASSTHROUGH option. So the client itself needs to to take care of authentication. To use it you have to use the GitHub - SoftwareAG/cumulocity-remote-access-local-proxy: Cumulocity IoT Remote Access Local Proxy and a client of your choice. It can also be a xterm.js running in a microservice which has an endpoint to retrieve the credentials on request, opens the remote access tunnel and connects to the ssh server using the provided credentials.