Open domtra opened 6 years ago
Hey, thanks for the question. Glad to hear you like mirror so far; interesting about the new unison options, I had not seen that.
For security, there are two options; one is what you mentioned, which is just SSH tunneling. This already works and the incantations are here:
https://github.com/stephenh/mirror#secure-communication
That's what I'd recommend. It does add an extra step each time to boot up mirror, e.g. remember to make sure your tunnel is started.
Technically grpc-java can do fancier SSL-based auth, which in theory would be 100% transparent to mirror (just changing a few lines of grpc-java setup on the client/server side), but the user setup is not straight forward, e.g. it involves generating key pairs, etc.:
https://github.com/grpc/grpc-java/blob/master/SECURITY.md#tls-with-openssl
At which point I'm not sure the complexity is worth it vs. just using tunneling which everyone probably already has keys/etc. for.
Granted, if you did go the grpc-java/TLS approach, then you wouldn't have to do the "remember to start a tunnel" each time, so it would probably pay off in terms of ease-of-usability in the long-term.
I've not actually tried the grpc-java/TLS approach (I've always been on LANs/VPNs with mirror so security was already there); if you wanted to do a spike on it and submit a PR with the code + command line options + README instructions, I'd definitely accept it. :-)
I'll reopen this and leave it as "provide built-in security" vs SSH tunneling.
Hi there. First of all: thanks for the work you put into this. I have been looking for viable solutions to the same problems you face and the performance of
mirror
is pretty great. Also for remote connections.Nevertheless, have you tried xpra instead of x-forwarding? I could imagine that for a local setup this works rather well. On remote it can also be quite laggy. And for the unison not being real time part: It now ships with unison-fswatch and has the options
repeat=watch
. However, it does take longer to pick up the changes that mirror (at least in my simple test).My actual question: Is there any means of authenticating a client / securing the server? I did not see any option for that, so I can only think of VPN or ssh tunneling for now. This of course does involve some extra setup and it would be nice to have an out-of-the-box solution for mirror. What are your thoughts about that?