wait, the login asks for my server and ssh password? oh how can we trust this???

mike-cardwell · on Sept 27, 2010

You can't

tricknik · on Sept 27, 2010

But if we wrote a Thimbl user information update server and asked you to run that on your own server, you would do that and consider our service as secure as sshd? Really? Our position is that you give as a standard remote login interface, that is ssh, how you implement that for your own finger users is up to you (see my other comment)

phsr · on Sept 27, 2010

you could always set up a super stripped down user with a random password. Not to say that I'm about to do that

jmhobbs · on Sept 27, 2010

We could always write a Thimbl only server to handle it, here's a start: http://www.devshed.com/c/a/Python/SSH-with-Twisted/

tricknik · on Sept 27, 2010

Is there a more secure way that a non-data-retaining service can connect with your server so a user can update there .plan file than sftp?

pyre · on Sept 27, 2010

There are ways of locking down an incoming ssh connection to scp-only, you can even filter the files it has access to. I looked into this once, but never implemented it b/c we went elsewhere with the project.

Note: This is by making the handling script the thing that runs for a certain ssh key, I don't think it works with a password though.

tricknik · on Sept 27, 2010

Excatly! There are many ways to set up secure ssh access. Which is why a solid, know protocol like ssh is the right one to use for remote login, because it provides many options and all sysops can configure access for their own users as they see fit, yet all users, on all systems can still follow each other.

pyre · on Sept 27, 2010

See: http://news.ycombinator.com/item?id=1732738