[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn+ssh long-lived daemon

From: Branko ─îibej <brane_at_apache.org>
Date: Fri, 20 Nov 2015 20:02:35 +0100

On 20.11.2015 15:20, Mark Phippard wrote:
> I've always felt the same, but now that I've used SSH more (with Git) I
> kind of question it.
>
> Are HTTP client certs much better than passwords?

Please ... SSL/TLS client certs. Just nitpicking to make sure we use
correct terminology.

> The cert itself still
> has to be physically secured and if you protect the cert with a passphrase
> then you have all of the same cache problems that passwords do.

Yup.

> With SSH there is infrastructure like ssh-agent that just does not exist
> for HTTP.

s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force
users to either rely on a 3rd-party authority or create self-signed
certs, which are equivalent to SSH keypairs, just a lot more complicated
to manage.

It's, IMO, it would be a better idea to integrate, e.g., libssh2
directly into our code as an alternative to using an external SSH tool.
I'm sure we could make long-term tunnel management work on the RA level.

-- Brane

> On Fri, Nov 20, 2015 at 9:16 AM, Bert Huijben <bert_at_qqmail.nl> wrote:
>
>> With the right tooling both operations should be equivalent. Perhaps it is
>> easier to spend time on that.
>>
>>
>>
>> Bert
>>
>>
>>
>> Sent from Outlook Mail <http://go.microsoft.com/fwlink/?LinkId=550987>
>> for Windows 10 phone
>>
>>
>>
>>
>>
>>
>> *From: *Philip Martin
>> *Sent: *vrijdag 20 november 2015 12:21
>> *To: *Ivan Zhakov
>> *Cc: *Daniel Shahaf;dev_at_subversion.apache.org
>> *Subject: *Re: svn+ssh long-lived daemon
>>
>>
>>
>>
>>
>> Ivan Zhakov <ivan_at_visualsvn.com> writes:
>>
>>
>>
>>> 5. HTTPS authentication using client certificates
>>
>>
>> Client certificates are a possibility. There are some drawbacks: the
>>
>> signing authority has to be maintained, revoking a certificate is more
>>
>> complicated than removing a key from the authorized_keys file.
>>
>>
>>
>> --
>>
>> Philip Martin
>>
>> WANdisco
>>
>>
>>
>>
>>
>
>
Received on 2015-11-20 20:02:40 CET

This is an archived mail posted to the Subversion Dev mailing list.