[PATCH] Teach Mercurial to handle URLs of the form *sh://host/path, such as
Pjotr Kourzanov
peter.kourzanov at xs4all.nl
Wed May 21 05:54:04 CDT 2008
What if you specifically need to use certain options for ssh (the
ssh), such as -1 or -2 or whatever. Isnt't it just easier to create a
wrapper called ssh1 or ssh2 and just use e.g., ssh1://host/path? What
if you need to push/pull to/from sites that accept only ssh1 or ssh2?
Do you want to constantly change your ui.ssh config or complicate the
command line with -e?
My stake in this patch is that in a large project/organization, you
can simply start using a krb5-rsh:// URLs and it will just work, while
without it, you'd have to globally change out-of-the box configuration
of Mercurial such that everyone uses ui.ssh=krb5-rsh. Oh yes, don't tell
me the story of SSH public keys dispersal through a large company. It's
just so much simpler with Kerberos - do a /usr/bin/kinit once and you're
authenticated - no need for any public key transfers...
OK, here I stop and simply wonder why such a small and useful
generalization is so difficult to get in... After all, it changes
nothing in your story of rsh - you can still specify ui.ssh=rsh and have
people wonder why is the ssh://host/path a huge security problem...
http://www.selenic.com/pipermail/mercurial-devel/2008-May/006225.html
On Tue, 2008-05-20 at 19:10 -0500, Matt Mackall wrote:
> On Tue, 2008-05-20 at 22:56 +0200, peter.kourzanov at xs4all.nl wrote:
> > Matt,
> >
> > There is krb5-rsh, which is as secure as Kerberos is.
>
> In theory. In practice, it's quite likely that the rsh upon which
> krb5-rsh is built has numerous security holes that no one's bothered
> looking for because sensible people all did s/rsh/ssh/ a decade ago.
>
> > Heck,
> > there is even ssh-krb5 support...
> >
> > So, why do you say rsh is not supported? It works for me...
>
> It's not supported in the sense that if someone says "hey, I used rsh to
> push and someone broke into my system", and I say "why the hell did you
> think that was a good idea?" they don't get to say "I'm an idiot and it
> was in the manpage". Because rsh is NOT going to be in the manpage. And
> if it's not in the manpage, there's no point of having any special
> support for it in the code beyond the generic --ssh functionality.
>
> I can see that using krb5-rsh and ssh targets with the same repo is
> going to be slightly annoying, but if you must use Kerberos, you should
> be using it with ssh anyway. At which point it becomes entirely an ssh
> config issue and hg is out of the picture.
>
More information about the Mercurial-devel
mailing list