On Fri, Jul 20, 2012 at 02:10:05PM -0700, TSU wrote: > Yesterday I observed on the Git IRC a conversation that SSH keys were not > required for SSL sessions( would have responded if my Freednode account > wasn't having problems). > > Aside from the fact (AFAIK) github only supports SSH for key testing and > nothing else, I was under the impression these same keys are re-used for > authenticating SSL sessions as well, implementing a kind of 2-factor > authentication (SSL keys to prove your machine, username/password to prove > your human identity). > > Are SSH keys required or not for SSL connections? I don't quite understand the question, but let's just try some things clear -- maybe this will help you.
First, SSH and SSL have nothing in common except for the word [S]ecure and the naturally following fact they secure something (SSH secures the [SH]ell access and SSL secures the [S]ocket [L]ayer). These are completely disjoint protocols invented for differing needs. These protocols also use different approach for what you call "keys". SSH uses "shallow" approach to keys: a client generates a pair of keys -- one public and one private, -- then transfers the public part to the server and adds it to an *explicit* list of trusted keys. Hence the server either trusts that key or not; nothing else. The client actually does the similar thing by checking the server's key's fingerprint to see if it's known and trusted. SSL uses hierarchical approach to its "keys", which it calls "certificates": this stuff involves certification authotities (CAs) and trust chains they create. The whole topic is too deep to cover here but the end result is that usually either side or both explicitly trust some CA, and through this fact they tust each other. In either case, the wire format of the keys used by these protocols and the semantics of their usage is different. One last thing to note is that while SSL/TLS is based solely around those X.509 certificates, SSH defines various methods for authentication of the client to the server: besides the "pubkey" method we've just discussed, it supports the very popular "keyboard interactive" method, Kerberos authentication and GSSAPI (SSPI in Microsoft lingo) which can also do Kerberos. So no, the same keys can't be used for both SSL and SSH. As to github, I think they implement two modes: 1) SSH keys are used to access the repo via SSH. You associate your SSH key with your github account and so when you're trying to authenticate the next time, Git knows who you are from your key. 2) SSL is used to simply encrypt the conversation with the server, and then HTTP (which tunnelled over SSL) uses simple password-based authentication method called "basic" to verify your identity. See https://github.com/blog/642-smart-http-support for hints on this. -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To post to this group, send email to email@example.com. To unsubscribe from this group, send email to git-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/git-users?hl=en.