using ssh keys to connect to bazaar.launchpad.net confuses users a great deal

Can you give an example on how this would work?

example:

user runs 'bzr push lp:~johndoe/project/foo'
user has no ssh private keys, or none registered with launchpad, or has configured their client to prefer password auth
the ssh client negotiates with lp to do password authentication
ssh client prompts the user for their password, and sends it across the encrypted channel
launchpad checks the password against the database, just as when logging in over https
if the password is correct, launchpad allows the user in

Since the password is already used over https to _set_ the ssh pubkey, so in that regard the password is equally trusted.

However, if there is eg a dns-spoofing attack, and the user connects to a server that's not really launchpad (cf bug 238869), and they don't have keys configured, they will end up giving their password to that site. However, doing key based authentication would be nearly as bad because it allows a mitm attack. A better way to solve this is to make sure users can authenticate the server.

For some users it's much easier to type the password every time than to set up a key.

Very tempted to mark this as wontfix.

Requires adding support for password authentication to the SSH server, and adding a new internal RPC method for validating the password.

On Thu, 2009-02-05 at 05:45 +0000, Jonathan Lange wrote:
> Very tempted to mark this as wontfix.
>
> Requires adding support for password authentication to the SSH server,
> and adding a new internal RPC method for validating the password.

Well, this year I'd be inclined to ask for openid support :)

-Rob

That's *definitely* wontfix. With bells on.

With respect to Martin's comment #2, I think this is a great idea, but in reality we are not likely to get to this ourselves.

If someone else came up with a fix, we'd review and land it happily, but it is unlikely it will bubble to the top of our priorities.