Re: [Monotone-devel] encrypted netsync (was: merging in "serve raw 'automate stdio' over network")

[Timothy Brownawell]

On Sat, 2009-01-17 at 19:44 -0600, Matthew Nicholson wrote:
> Timothy Brownawell wrote:
> >
> > I should also mention that I'm thinking we eventually want to move to
> > SSH2 for encryption/authentication (pending finding a good server-side
> > SSH2 library, there only seem to be client-only libraries available
> > now). This would let us only need to listen in one place for both
> > netsync and stdio (and whatever else we might come up with), and would
> > also mean not needing to keep our own authentication code or write our
> > own encryption code (I know I've seen requests for encrypted netsync).
> 
> Why ssh2 and not ssl/tls encryption?  Just curious.  I imagine ssl 
> libraries would be more prevalent. 

Because it didn't occur to me, probably because the main tls use I know
is authenticating the server (mostly I think of https) while we
also/mainly want to authenticate the client (which is what ssh is used
for). We'd need our own multiplexing, but that should be quite a lot
less work than pulling a library out of an ssh server.

>  And instead of relying on SSH for 
> authentication, we could add the option of using PAM for authentication 
> which is what SSH uses anyway.

No, probably better to keep using keys for that. I had been thinking ssh
pubkey authentication, but tls seems to allow for client certificates
which should be what we want.


-- 
Timothy

Free (experimental) public monotone hosting: http://mtn-host.prjek.net