[MERGE][bug #183705] Update authentication docs regarding ssh agents.

John Arbash Meinel john at arbash-meinel.com
Fri May 9 16:13:01 BST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vincent Ladeuil wrote:
| Doc-only patch.
|
|          Vincent
|
|

+``FTP`` needs a (``user``, ``password``) to authenticate against a ``host``
+(``SFTP`` can use either password or host key to authenticate, but since ssh agents
+are a better and safer solution, we recommand their use and don't try to
+provide an alternative, less secure, way do to so).

``SFTP`` can use either a password or a host key to authenticate. However,
ssh agents are a better, more secure solution. So we have chosen to not provide
our own less secure method.

- -        password=precious
+        # No pasword here, use ssh agents for providing either a password
+        # or a host key

# We don't support supplying a password for sftp, consider using an ssh agent if
# you don't want to supply a password. (pageant, ssh-agent, etc)

+At company.com, the server hosting released and integration branches is behind
+a proxy, the two servers use different authentication policies::

the server hosting release and integration branches is behind a proxy, and the
two branches use different authentication policies

(At least, assuming you are parameterizing by path, and not by host.)


@@ -195,7 +197,7 @@
~         host=dev.company.com
~         path=/dev/integration
~         user=user2
- -        password=pass2
+        # No password since we use host keys

I would probably just leave the comment out.

Also, are these "host keys"? I thought that was something rsh had, where you
could set up 2 hosts to trust eachother for all users. This seems a lot more
like per-user ssh keys. Since I can set up several keys to be trusted for just
my user, which has little to do with the hosts involved.


+comfort this specification aims to provide for all other schemes. Since ssh
+agents provide a safer way to secure the passwords, this specification restrict
+itself to providing ``user`` but never try to provide ``password``.

this specification is restricted to providing ``user`` but does not provide
``password``.


BB:tweak

I believe these statements aren't strictly true without your other patch. Since
we allow ssh passwords some-of-the-time (paramiko). Otherwise with some minor
grammar fixes, they seem good.


John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgkaf0ACgkQJdeBCYSNAANamgCfW5hQxwaEWf6pju9I6wYFxJkG
5AUAn0xEMMiwUkxqOUYxwCgZ32MPD8OV
=md74
-----END PGP SIGNATURE-----

More information about the bazaar mailing list