On Sat, Mar 9, 2013 at 4:25 PM, Lennart Regebro <rege...@gmail.com> wrote: > On Fri, Mar 8, 2013 at 6:57 PM, Donald Stufft <don...@stufft.io> wrote: >> HTTP has a token that is functionally similar to SSH keys. Client side SSL >> certificates. They would function fine and enable similar uses as SSH keys. > > Every time I've used that it has been very complicated and usually not > worked well or cross-platform. Perhaps that situation has changed?
Pulp (http://pulpproject.org) handles it fairly well IMO - the CLI includes a "pulp-admin auth login" command which just uses Basic Auth over HTTPS. This returns a server-generated cert that is saved to disk and is valid for a week. After a week, you have to log in again to refresh your cert (this is to mitigate the problem Toshio noted: the cert is stored unencrypted on disk. Without the expiry date, this approach would be just as bad as storing the password itself in the clear). There's a bit of fiddling client side to use the cached cert, and server side to check it, but the user experience is pretty smooth. (Pulp is GPL, while PyPI is now BSD, so if we do go down this path, someone that hasn't read the Pulp code will need to implement it, or else I can talk to the Pulp team about getting those parts relicensed under a more permissive license) Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig