subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: svn+ssh long-lived daemon
Date Fri, 20 Nov 2015 19:02:35 GMT
On 20.11.2015 15:20, Mark Phippard wrote:
> I've always felt the same, but now that I've used SSH more (with Git) I
> kind of question it.
>
> Are HTTP client certs much better than passwords?

Please ... SSL/TLS client certs. Just nitpicking to make sure we use
correct terminology.


>   The cert itself still
> has to be physically secured and if you protect the cert with a passphrase
> then you have all of the same cache problems that passwords do.

Yup.

> With SSH there is infrastructure like ssh-agent that just does not exist
> for HTTP.

s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force
users to either rely on a 3rd-party authority or create self-signed
certs, which are equivalent to SSH keypairs, just a lot more complicated
to manage.

It's, IMO, it would be a better idea to integrate, e.g., libssh2
directly into our code as an alternative to using an external SSH tool.
I'm sure we could make long-term tunnel management work on the RA level.

-- Brane

> On Fri, Nov 20, 2015 at 9:16 AM, Bert Huijben <bert@qqmail.nl> wrote:
>
>> With the right tooling both operations should be equivalent. Perhaps it is
>> easier to spend time on that.
>>
>>
>>
>> Bert
>>
>>
>>
>> Sent from Outlook Mail <http://go.microsoft.com/fwlink/?LinkId=550987>
>> for Windows 10 phone
>>
>>
>>
>>
>>
>>
>> *From: *Philip Martin
>> *Sent: *vrijdag 20 november 2015 12:21
>> *To: *Ivan Zhakov
>> *Cc: *Daniel Shahaf;dev@subversion.apache.org
>> *Subject: *Re: svn+ssh long-lived daemon
>>
>>
>>
>>
>>
>> Ivan Zhakov <ivan@visualsvn.com> writes:
>>
>>
>>
>>> 5. HTTPS authentication using client certificates
>>
>>
>> Client certificates are a possibility.  There are some drawbacks: the
>>
>> signing authority has to be maintained, revoking a certificate is more
>>
>> complicated than removing a key from the authorized_keys file.
>>
>>
>>
>> --
>>
>> Philip Martin
>>
>> WANdisco
>>
>>
>>
>>
>>
>
>


Mime
View raw message