I have a personal Git repository which I don't want to have publicly available for a variety of reasons (chiefly pride, as it's mostly half-pages of scribbled lines), so I'm hosting it on a personal server.
I am interested in anyone's thoughts on security between the following implementations (the host is CentOS 5.6 if that matters):
- SSH using key-based authentication with keys using 20-character passphrases;
- WebDAV using Apache 2.2 and passwords using 20-character passwords.
There are a number of discussions on SO about which is bet开发者_运维问答ter, more convienent, etc but they seem to be chiefly functional. Which would be more/less straightforward to break or tap into? As I said, the information in the repo is not sensitive, just a collection of bad hobby code. I'm just trying to find something to base my decision besides a Coke-vs-Pepsi "which tastes better to you?" subjective debate.
Appreciate any comments.
Specific question, but general answer.
- WebDAV will be very insecure without SSL.
- HTTPS = HTTP + SSL
- SSH = also SSL
So HTTPS and SSH are pretty much equal in this regard, but using private key files is better. This might be easier to setup using SSH, but harder for HTTPS.
So in your specific question (assuming also you're going for HTTPS and not HTTP) SSH will be more secure, because private key files are virtually impossible to crack. Password-based authentication has the usual security issues (dictionary, bruteforce, rainbowtable, etc).
Effectively it's comparing the 20-byte password to a 1024/2048/4096 bit public key.
精彩评论