Provide built-in TLS/SSH security (instead of just SSH tunneling)

[domtra]

Hi there. First of all: thanks for the work you put into this. I have been looking for viable solutions to the same problems you face and the performance of mirror is pretty great. Also for remote connections.

Nevertheless, have you tried xpra instead of x-forwarding? I could imagine that for a local setup this works rather well. On remote it can also be quite laggy. And for the unison not being real time part: It now ships with unison-fswatch and has the options repeat=watch. However, it does take longer to pick up the changes that mirror (at least in my simple test).

My actual question: Is there any means of authenticating a client / securing the server? I did not see any option for that, so I can only think of VPN or ssh tunneling for now. This of course does involve some extra setup and it would be nice to have an out-of-the-box solution for mirror. What are your thoughts about that?

[stephenh]

Hey, thanks for the question. Glad to hear you like mirror so far; interesting about the new unison options, I had not seen that.

For security, there are two options; one is what you mentioned, which is just SSH tunneling. This already works and the incantations are here:

https://github.com/stephenh/mirror#secure-communication

That's what I'd recommend. It does add an extra step each time to boot up mirror, e.g. remember to make sure your tunnel is started.

Technically grpc-java can do fancier SSL-based auth, which in theory would be 100% transparent to mirror (just changing a few lines of grpc-java setup on the client/server side), but the user setup is not straight forward, e.g. it involves generating key pairs, etc.:

https://github.com/grpc/grpc-java/blob/master/SECURITY.md#tls-with-openssl

At which point I'm not sure the complexity is worth it vs. just using tunneling which everyone probably already has keys/etc. for.

Granted, if you did go the grpc-java/TLS approach, then you wouldn't have to do the "remember to start a tunnel" each time, so it would probably pay off in terms of ease-of-usability in the long-term.

I've not actually tried the grpc-java/TLS approach (I've always been on LANs/VPNs with mirror so security was already there); if you wanted to do a spike on it and submit a PR with the code + command line options + README instructions, I'd definitely accept it. :-)

[stephenh]

I'll reopen this and leave it as "provide built-in security" vs SSH tunneling.