subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: svn+ssh long-lived daemon
Date Fri, 20 Nov 2015 21:07:37 GMT


> -----Original Message-----
> From: Branko ─îibej [mailto:brane@apache.org]
> Sent: vrijdag 20 november 2015 20:03
> To: dev@subversion.apache.org
> Subject: Re: svn+ssh long-lived daemon
> 
> On 20.11.2015 15:20, Mark Phippard wrote:
> > I've always felt the same, but now that I've used SSH more (with Git) I
> > kind of question it.
> >
> > Are HTTP client certs much better than passwords?
> 
> Please ... SSL/TLS client certs. Just nitpicking to make sure we use
> correct terminology.
> 
> 
> >   The cert itself still
> > has to be physically secured and if you protect the cert with a passphrase
> > then you have all of the same cache problems that passwords do.
> 
> Yup.
> 
> > With SSH there is infrastructure like ssh-agent that just does not exist
> > for HTTP.
> 
> s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force
> users to either rely on a 3rd-party authority or create self-signed
> certs, which are equivalent to SSH keypairs, just a lot more complicated
> to manage.
> 
> It's, IMO, it would be a better idea to integrate, e.g., libssh2
> directly into our code as an alternative to using an external SSH tool.
> I'm sure we could make long-term tunnel management work on the RA level.

I have a simple implementation of libssh2 as optional ssh agent in SharpSvn, with session
reuse at +- the libsvn_client_ctx_t level.

Works fine, but currently libssh2 still lacks a few of the more recently added cypher types
of ssh, with shorter handshake times.

	Bert



Mime
View raw message