Fetch/Push through SSH

[cgilly2fast]

Is there a way with the current code to SSH into the git server instead of http/https? I am just thinking about how GitHub authenticates users when they push/fetch. Let me know if I can help in any way.

[gabrielcsapo]

Looking into this a bit more, github is against using the ssh method as it not as secure as https. Looking at how to support this without adding too much bloat, like an entire ssh library to handle this use case.

[plunkettscott]

Do you have anything showing that SSH is more insecure than HTTPS? I think Github recommends HTTPS simply because it is easier for people to get started with, not because of a security concern. If it was truly insecure they probably wouldn’t offer it as an option at all.

[gabrielcsapo]

@plunkettscott https://help.github.com/en/github/using-git/which-remote-url-should-i-use https is the more resilient it seems. ssh is still a valid push mechanism, looking into adding this.

[axkibe]

At the risk of being brisk. I recently created a nodejs based git server (similar to node-git-server) that has a ssh server integrated: https://gitlab.com/csc1/gitengine along with https and lfs.

I'm using this great library for this, it might help you: https://github.com/mscdex/ssh2

BTW: I don't think the SSH is in anyway more (in)secure than SSL (the encyrption behind https). Generally this depends more on the ciphers used for which both protocols offer a variety of and default configurations are usually limited to those considered secure.

The main difference is, that SSL is a hierachical system -- you have certificate authorities which you trust which then sign other webpage certificates, while SSH you trust a server (and maybe check the fingerprint) and thats it. (And of course traditionally SSL is used for https and SSH for remote shell, but technically this wouldn't need to be that case)