On 20 November 2015 at 22:02, Branko Čibej <brane_at_apache.org> wrote:
> On 20.11.2015 15:20, Mark Phippard wrote:
>> I've always felt the same, but now that I've used SSH more (with Git) I
>> kind of question it.
>>
>> Are HTTP client certs much better than passwords?
>
> Please ... SSL/TLS client certs. Just nitpicking to make sure we use
> correct terminology.
>
>
>> The cert itself still
>> has to be physically secured and if you protect the cert with a passphrase
>> then you have all of the same cache problems that passwords do.
>
> Yup.
>
>> With SSH there is infrastructure like ssh-agent that just does not exist
>> for HTTP.
>
> s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force
> users to either rely on a 3rd-party authority or create self-signed
> certs, which are equivalent to SSH keypairs, just a lot more complicated
> to manage.
>
> It's, IMO, it would be a better idea to integrate, e.g., libssh2
> directly into our code as an alternative to using an external SSH tool.
> I'm sure we could make long-term tunnel management work on the RA level.
>
As far I understand Philip's goal to reuse svnserve process on the
server, that means we would need ssh protocol server-side
implementation in svnserve.
--
Ivan Zhakov
Received on 2015-11-20 22:31:53 CET