On Wed, Jan 13, 2010 at 03:12:18PM +0100, Andreas Krey wrote:
> On Wed, 13 Jan 2010 15:57:53 +0000, Ilari Liusvaara wrote:
> ...
> > And one would need custom daemon anyway even if one used stunnel.
> > git-daemon just can't deal with authentication data.
>
> It doesn't need to, really. stunnel sets the environment variable
> SSL_CLIENT_DN with the distinguished name of the client certificate,
> which can be used in the hook scripts ('update') on the server.
That would be useless. Data about authenticated client needs to fed to
authorization decisions already before invoking git.
And besides: Gits:// uses certificates as keypairs, which would make DN
data absolutely useless because it is untrustworthy. And adding PKI
is way too complicated.
> (I looked into that stuff once, but with the advent of smart-http(s)
> I pretty much lost any interest to try implementing gits:// via
> openssl here, as it isn't yet an actual itch.)
The authentication support for smart-http seems pretty bad (making the
old mistake of not binding authentications). Of course, the same tricks
as gits:// uses would work with https:// (its all TLS-level stuff), but
no server or client does that.
-Ilari
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html