> -----Original Message-----
> From: Branko Čibej [mailto:brane_at_apache.org]
> Sent: vrijdag 20 november 2015 20:03
> To: dev_at_subversion.apache.org
> Subject: Re: svn+ssh long-lived daemon
>
> On 20.11.2015 15:20, Mark Phippard wrote:
> > I've always felt the same, but now that I've used SSH more (with Git) I
> > kind of question it.
> >
> > Are HTTP client certs much better than passwords?
>
> Please ... SSL/TLS client certs. Just nitpicking to make sure we use
> correct terminology.
>
>
> > The cert itself still
> > has to be physically secured and if you protect the cert with a passphrase
> > then you have all of the same cache problems that passwords do.
>
> Yup.
>
> > With SSH there is infrastructure like ssh-agent that just does not exist
> > for HTTP.
>
> s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force
> users to either rely on a 3rd-party authority or create self-signed
> certs, which are equivalent to SSH keypairs, just a lot more complicated
> to manage.
>
> It's, IMO, it would be a better idea to integrate, e.g., libssh2
> directly into our code as an alternative to using an external SSH tool.
> I'm sure we could make long-term tunnel management work on the RA level.
I have a simple implementation of libssh2 as optional ssh agent in SharpSvn, with session reuse at +- the libsvn_client_ctx_t level.
Works fine, but currently libssh2 still lacks a few of the more recently added cypher types of ssh, with shorter handshake times.
Bert
Received on 2015-11-20 22:07:52 CET