FS#45364 - SSH write access via HTTPS

Attached to Project: AUR web interface
Opened by Tom Swartz (tomswartz07) - Wednesday, 17 June 2015, 19:24 GMT
Task Type Feature Request
Category Backend
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 4.0.0-rc3
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No


I had posted a general question in the AUR mailing list[1], and it seems to have spurred some discussion.

My question/feature request is as follows:
With the understanding that all PKGBUILDS are now controlled exclusively via git, is it possible to configure SSH write access to the Git repositories via a port other than port 22?

Various other Git-based services encourage 'ssh on port 22', but also offer access via alternate methods (ssh via HTTPS port 443, for example).
GitHub[2] and BitBucket are the two main examples of this configuration.

For home and non-corporate users, outbound access via Port 22 is relatively easy.
However, in corporate networks, many times all ports except for a select few are firewalled for various reasons (e.g. to protect the rest of the devices on the network).
In these corportate networks, outbound traffic is only accessible via Ports 80, 443 and (rarely) very few others, and requesting a change in the outbound network policy is almost impossible.

As such, many users (such as myself) cannot upload PKGBUILDS to the AUR because of the restrictive firewall rules.

I'd appreciate any feedback with this issue.

This task depends upon

Comment by Johannes Löthberg (demize) - Wednesday, 17 June 2015, 20:17 GMT
I doubt SSH over HTTPS will ever be added. Git pushing over HTTPS might be added though.
Comment by Tom Swartz (tomswartz07) - Wednesday, 17 June 2015, 20:18 GMT

This is what I'm referring to. Git push via the HTTPS ports.

Currently it's configured so that Git Push is only via ssh.

Hopefully that clears things up.
Comment by Johannes Löthberg (demize) - Wednesday, 17 June 2015, 22:39 GMT
You explicitly referred to SSH over HTTPS, which I explicitly am not talking about.

Anyway, it shouldn't be /too/ hard to add, but I'm not sure which way would be the best.

We would probably have to get nginx compiled with --with-http_auth_request_module and do an if statement to check if the git-receive-pack parameter is given in the service parameter of the query string, and if so we do an auth_request to the AUR to check

1) If the credentials are valid, and
2) If the user has access to the repo
Comment by Chris Severance (severach) - Thursday, 30 July 2015, 06:48 GMT
git push over HTTPS sounds hard. How are you going to duplicate the SSH key authentication? SSH over HTTPS is a one line fix in any NAT router if you have an IP address to spare.
Comment by Johannes Löthberg (demize) - Thursday, 30 July 2015, 07:14 GMT
Not... really? It's widely used. And you use HTTP Basic Auth. And IPs are expensive.