Provide built-in TLS/SSH security (instead of just SSH tunneling) #10
Comments
|
Hey, thanks for the question. Glad to hear you like mirror so far; interesting about the new unison options, I had not seen that. For security, there are two options; one is what you mentioned, which is just SSH tunneling. This already works and the incantations are here: https://github.com/stephenh/mirror#secure-communication That's what I'd recommend. It does add an extra step each time to boot up mirror, e.g. remember to make sure your tunnel is started. Technically grpc-java can do fancier SSL-based auth, which in theory would be 100% transparent to mirror (just changing a few lines of grpc-java setup on the client/server side), but the user setup is not straight forward, e.g. it involves generating key pairs, etc.: https://github.com/grpc/grpc-java/blob/master/SECURITY.md#tls-with-openssl At which point I'm not sure the complexity is worth it vs. just using tunneling which everyone probably already has keys/etc. for. Granted, if you did go the grpc-java/TLS approach, then you wouldn't have to do the "remember to start a tunnel" each time, so it would probably pay off in terms of ease-of-usability in the long-term. I've not actually tried the grpc-java/TLS approach (I've always been on LANs/VPNs with mirror so security was already there); if you wanted to do a spike on it and submit a PR with the code + command line options + README instructions, I'd definitely accept it. :-) |
|
I'll reopen this and leave it as "provide built-in security" vs SSH tunneling. |
stephenh
changed the title
Hi there. First of all: thanks for the work you put into this. I have been looking for viable solutions to the same problems you face and the performance of
mirroris pretty great. Also for remote connections.Nevertheless, have you tried xpra instead of x-forwarding? I could imagine that for a local setup this works rather well. On remote it can also be quite laggy. And for the unison not being real time part: It now ships with unison-fswatch and has the options
repeat=watch. However, it does take longer to pick up the changes that mirror (at least in my simple test).My actual question: Is there any means of authenticating a client / securing the server? I did not see any option for that, so I can only think of VPN or ssh tunneling for now. This of course does involve some extra setup and it would be nice to have an out-of-the-box solution for mirror. What are your thoughts about that?
The text was updated successfully, but these errors were encountered: