Note that `ssh git.charm.sh` is a serious privacy and security hazard: it will leak your local user name and the public keys for any keys you can authenticate with (enough to e.g. identify your GitHub account), and if you have ForwardAgent on (convenient but dangerous—if you use it, look into ProxyJump instead) it will allow the remote machine to impersonate you (e.g. push to any GitHub repository you can push to).
I recommend using an invocation like this instead when testing things like this; I think it’s enough (but welcome correction):
ssh -o PubkeyAuthentication=no -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -a nobody@git.charm.sh
in the ideal, yes. but it wasn’t long ago (start of covid really) that i kept my personal and work ssh keys under the same profile. both of those alone are “public”, but that they correspond to the same identity perhaps ought not to be.
yeah, there are better ways to manage separate identities (separate users, VMs, VPNs)… and reminding people that `ssh host-name` can reveal all your ssh keys is a good way to push people toward those better solutions! :)
You may reasonably not care, but it’s also reasonable to care.
It’s not about them being public, it’s about announcing them. For me, running `ssh git.charm.sh` would have SSH essentially say “hi, I’m chris-morgan on GitHub (and here’s cryptographic proof)” as part of connecting. That’s a huge privacy leak. It’s disclosing all your identities automatically, including perhaps that you work for ACME Corporation, and isn’t that a valuable tid-bit for social engineering attacks, when you take all these things together.
(I think it’s worth noting of your pithy line that the two words spelled “public” are homonyms, not at all the same. The first one I might call cryptographic-public, and the second socially-public. There’s no need to share a (cryptographic-)public key (socially-)publicly, and doing so can be actively undesirable.)
As a matter of connecting it’s announcing that I’m user bart.riepe. It’s not a big leap from there to figuring out who I am.
A public key (to me) is public in the same sense that a client secret is public. You don’t have to advertise it to everyone, but if anybody finds it they can’t do anything bad with it (except confirm you are the person that has the private key).
This isn’t a technical security vulnerability, because the cryptography is sound.
But it is an information disclosure vulnerability, because it didn’t need to disclose your identity, and the typical user will not expect it to disclose all their identities.
And the information that is disclosed opens heavy social vulnerabilities, because your activity can now be perfectly correlated with who you are, by an untrusted party.
This is information that businesses put huge amounts of effort into attempting to do on the web, because it can be quite valuable (sometimes absurdly so). And SSH defaults to just giving them exactly what they want so they don’t even have to work for it.
Do you feel the same way about GitHub/GitLab... because Git works over SSH and anytime you clone anything over the SSH protocol your public keys are sent to the server. Same thing with SSHing into AWS, Google Cloud, Azure consoles. I don't think exposing your public key has ever been an issue for most people, and for those that it is, they can configure SSH access as you have in your parent comments.
That’s where you’re actually using it for authentication, for which there is obviously no alternative, and you also trust the party in question. The “demo over SSH” thing is not like that.
If you clone a public repo, this exact SSH flow happens on the GitHub servers, same with any other Git server running the SSH protocol. The OP is a git server just like that, so I don't see why it would be an issue here but not elsewhere.
When in a browser you connect to https://github.com, it sends your session cookie so the server knows who you are. Well and good. What it doesn’t do is send any of that to any other server; if example.com wants to know (and prove) your GitHub username, you have to go through an OAuth flow where you explicitly grant permission for sharing these details.
By contrast, the OpenSSH remote login client (`ssh`) defaults to leaking this potentially-sensitive information. It shares all your keys, when you probably actually want to share zero or one of them.
> It shares all your keys, when you probably actually want to share zero or one of them.
Is that true though? When I connect to a server I generally want ssh to connect with _any_ of the keys that are currently in my agent. For that to happen the server needs to check if I’m allowed to connect with each of them, therefore I have to send that information to the server.
I guess SSH could default to asking me which key I want to connect with and then store that info afterwards?
If I wanted it to connect using only a specific key for that host (or pattern), I’d specify that in my ssh config.
> I guess SSH could default to asking me which key I want to connect with and then store that info afterwards?
Exactly. When you consider that it already does this sort of thing for host keys, it’s really a pretty obvious way to plug the information disclosure vulnerability.
Misconfiguration, or lack of understanding of what the agent does and how it works.
It's not always clear the inheritance priority of directives with wildcards in ssh_config or .ssh/config. I think it's the opposite of what one might assume is the default, if I recall correctly.
I’m not sure, connecting to an unknown server and giving that remote session the same abilities as my local PC has always seemed like a bad idea to me.
I guess you could misconfigure it, but it’s one of those things where I’d painstaking ensure I set it up correct because doing it wrong is not an option.
The last part of your reply is extremely condescending and an absolutely unnecessary ad hominem attack.
People have been conscious about publishing their raw email address for ages be a use it attracts all kinds of bad actors, from spambots to outright scammers impersonating somebody else for social engineering. Publishing your social circle involuntarily can be something people actually do not want but are unaware that this is happening.
I think you may have misunderstood the privacy hazard I’m talking about. `ssh git.charm.sh` leaks your SSH identities, which is akin to announcing “Hi, I’m gauntletwizard on GitHub” (and quite possibly “I work for ACME Corporation”) by merely connecting, which is not something people are generally aware of or expect (that’s why I pointed it out). This allows for perfect tracking, and such tracking can easily support various nefarious actions. By contrast, HTTP only allows comparatively generic fingerprinting via things like your IP address and user agent characteristics, though certainly in some circumstances it can be possible to identify a user uniquely from these—but you’ll have to work at least a bit for it. More generally, over HTTP if someone wants to know that you’re gauntletwizard on GitHub, they’ll have to go via a GitHub OAuth flow, where you get told they want to know your account name, public email address, whatever, and you get to decide whether to allow this.
I love days like today, $SYSTEM goes down, then we get a thread about $ALTERNATIVES, and now posts about $ALTERNATIVE[X].
I like the look of this and the other stuff from the folks behind it, but I'm curious if anyone is using it "for real." I would love to use this over others with web UIs, but at this point I am also in the market for Git+Actions-analog, which Gitea and Drone (and now just Gitea) fill on their own. Am I missing the mark on this tool's use case, or is it not just to the place where it can do such things yet.
Soft-serve is not really an alternative to GitHub, unless you literally only use GitHub for the git functionality itself, but then you could just use any Linux server + openssh + git to get basically the same functionality. But I see people tend to use GitHub for much more than just Git, for better or worse.
If you actually want a github alternative, use gitlab. Can't speak to the web experience, but self hosted is miles better than any of the alternatives. I found gitea to be fairly lacking.
Self-host is the right term. They install and host their OS or software themselves on a VPS, NOT a homeserver or VM. Until they set it up, there is no "cloud". "Cloud" IS a service, OS, etc that someone else set up and which you (pay to) use, and which that someone else ultimately has control over.
So this guy wants to run the software themself (the "self-host") without the infrastructure (the VPS which they rent yearly and which they have had to install Debian or Unbuntu 22, along with git and all the other software) - AWS replaces the infrastructure, and while it is close being "the cloud" it is still different because setting it all is still up to the user. They are still in control of their own data (although I guess some rogue AWS employee could read the data).
When I began reading this thread I thought roughly the same way. But not for long: if plugging together parts is building yourself a computer, then hosting on lower-level services is self-hosting.
But then on the other hand I'm on the "that's not self-hosting!" side when you shift from your own needs to selling a service: if you run and sell a gitsomething.com and it's all on AWS, that certainly isn't self-hosting. And again the similarity holds: when you operate a computer brand and it's all off the shelf parts you're not really a computer builder, even if the exact same configuration would nicely run under "I built this" when some by a consumer.
Yeah that used to be it for me too, until I got rid of all my possessions and started living more minimalistic.
Self-hosting is broad enough to include wanting to get away from large centralized vendors and take hosting into your own hands. Owning your domains and being vendor agnostic with IaC.
You won't get any server side CI/hooks or even multi user management, but if you just want a central place to push and pull your private code it's perfect.
S3 sounds very inefficient for storing git objects. Unless you're talking converting git protocol to S3 Object Versions API which might sound like an interesting project.
It's also a generic interface which is offered by multiple vendors (Azure, Backblaze, etc) including some on-prem options like MinIO.
I mean, on one level, a plain directory is also a generic interface, but blob storage has semantics which naturally lend themselves to replication in ways that a regular filesystem doesn't.
Self-hosting, with emphasis on the self, to me is taking it into your own hands.
Using the cloud can be very liberating these days, you can do it in a vendor agnostic way where you own all your domains, your data and can move freely between any cloud provider.
The tech is not very specific to Go. I remember the library called Turbo Vision from Borland Inc. which gave similar console superpowers in the early 1990s. Internally it was not that different from a typical GUI toolkit - controls, modal windows, layout, but it worked exclusively for text mode.
Products based on that technology were quite impressive back in the day: Turbo Pascal 7.0, Turbo C. The only thing that I really missed back then was drag and drop (in console) and it's still an unachievium nowadays, afaik.
I tried to use it, but my git repo was too big and it become painfully slow. I filed a bug an the issue was fixed within a few weeks. Very good interaction with the developers!
However that also meant that I needed an alternative. So let's break down what soft-serve do:
1. It's a ssh server/git server
2. It can list git repositories
3. It can browse git repositories
For:
1. you can use your current ssh server and for extra protection use the git-shell that comes with git.
2. Is easily solved with git-shell-commands (see man git-shell)
3. Is not something I need. If you want to browse you'll need to clone.
Although soft-serve is beautiful, it's a lot of added complexity for not very much functionality. If/when they add CI/CD, pull requests (perhaps a git-appraise based interface). It will be awesome and I'll give it a new try.
Now manage users and granular user-level access to repos... it's doable but you're going to write a boatload of one-off scripts and hacks, which tools like soft-serve have already implemented.
Yes or just install soft-serve, another git server implementation (with much more sane documentation IMHO, gitolite is great but the docs are a scatterbrained mess).
The point is that a git server isn't just ssh and git except in the most barebones simple use case.
Right, but you could easily end up writing a bunch of custom automation scripts and/or APIs around this, at which point (unless you really like DIYing stuff) you might better off with something like Soft-serve.
Slightly OT: how feasible is it to do issue management as markdown within a monorepo, anyone have any experience with this? Fossil does this already, but I think git could do it just as well?
I recommend using an invocation like this instead when testing things like this; I think it’s enough (but welcome correction):