Support for SSH repository access has landed!

Thomas De Schampheleire patrickdepinguin at gmail.com
Tue Aug 13 18:17:03 UTC 2019 

Hello everyone,

We are excited to announce that support for SSH repository access
has finally landed on the Kallithea development branch. This means:

- repository URLs like ``ssh://kallithea@example.com/name/of/repository``

- all network traffic for both read and write happens over the SSH protocol on
  port 22, without using HTTP/HTTPS nor the Kallithea WSGI application

- encryption and authentication protocols are managed by the system's ``sshd``
  process, with all users using the same Kallithea system user (e.g.
  ``kallithea``) when connecting to the SSH server, but with users' public keys
  in the Kallithea system user's `.ssh/authorized_keys` file granting each user
  sandboxed access to the repositories.

- users and admins can manage SSH public keys in the web UI

- in their SSH client configuration, users can configure how the client should
  control access to their SSH key - without passphrase, with passphrase, and
  optionally with passphrase caching in the local shell session (``ssh-agent``).
  This is standard SSH functionality, not something Kallithea provides or
  interferes with.

- network communication between client and server happens in a bidirectional
  stateful stream, and will in some cases be faster than HTTP/HTTPS with several
  stateless round-trips.

We plan to make an official release including these changes in early fall.

The changes have a long history, with several people contributing. For a long
time we had concerns and didn't feel ready to land the changes ... and also
didn't prioritize to do the work we thought it needed. But finally, other
high-priority things finished and we got around to prioritize working on this.
We reworked it a lot, and now really feel confident in the quality, security and
maintainability of the feature.
Thanks to everybody who contributed, directly or indirectly.

We suggest that all users with interest in this feature try it out so we gain
further confidence before releasing officially. Please report any
issues you may find, including suggestions for documentation improvements. To
get started, refer to the documentation on SSH repository access [1] and to the
general upgrade instructions [2].

[1] https://kallithea.readthedocs.io/en/default/setup.html#using-kallithea-with-ssh
[2] https://kallithea.readthedocs.io/en/default/upgrade.html


Note: At this moment, SSH repository access has been tested on Unix only.
Windows users that care about this feature are invited to test it and
report problems,
ideally contributing patches that solve these problems.


Best regards,
Mads Kiilerich
Thomas De Schampheleire

More information about the kallithea-general mailing list