Return-Path: X-Original-To: apmail-subversion-dev-archive@minotaur.apache.org Delivered-To: apmail-subversion-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0614718C0F for ; Sat, 21 Nov 2015 22:59:30 +0000 (UTC) Received: (qmail 95717 invoked by uid 500); 21 Nov 2015 22:59:29 -0000 Delivered-To: apmail-subversion-dev-archive@subversion.apache.org Received: (qmail 95656 invoked by uid 500); 21 Nov 2015 22:59:29 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 95646 invoked by uid 99); 21 Nov 2015 22:59:29 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Nov 2015 22:59:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 26B50180A18 for ; Sat, 21 Nov 2015 22:59:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.119 X-Spam-Level: X-Spam-Status: No, score=-0.119 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=daniel.shahaf.name header.b=UPXMB1IU; dkim=pass (1024-bit key) header.d=messagingengine.com header.b=jJ38Jrfq Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id lJwhsAmxS0mL for ; Sat, 21 Nov 2015 22:59:19 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 3E4B220EBA for ; Sat, 21 Nov 2015 22:59:19 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8EC60202EC; Sat, 21 Nov 2015 17:59:18 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 21 Nov 2015 17:59:18 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=TNl7+g9TeA1OGfSL7L8l5UQPw+E=; b=UPXMB1 IUdPsQEF/n1p0T6bxTH0SUGPj6B5B4+NplgfX310DPb4DGfOSu27pzZrQLCSD2KP u/O66BqNldwlgDexk4XRMOPcanxPNHsAsSA/AQFK6KON4efh0V3q8guGeCij9nKE DZEexNVCX8qZ3L/ipEpoT1xfd60F9ZGTQi2fc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=TNl7+g9TeA1OGfSL7L8l5UQPw+E=; b=jJ38J rfqw/C+nkJn9bGSCLaP0B9JZ9XBko5pm6YvKykKMlu4ehnM3Rpgu7sfU3+W1i3Y5 3lo/3EC9LKM0QpqyXNJvPK64rP16w0knePwuE5sFIImP6rjDEWXgsngkSB8Yi58K iJHhg8Ap8D9CJB1xiwP5gluHM78wj2uKP9/W/4= X-Sasl-enc: 8ekRAGBmVHFbB6gqVY9nzhuM4XMQGheDhhLJLx8qCohi 1448146758 Received: from tarsus.local2 (bzq-109-66-134-98.red.bezeqint.net [109.66.134.98]) by mail.messagingengine.com (Postfix) with ESMTPA id B03FA6800F7; Sat, 21 Nov 2015 17:59:17 -0500 (EST) Date: Sat, 21 Nov 2015 22:59:15 +0000 From: Daniel Shahaf To: Philip Martin Cc: dev@subversion.apache.org Subject: Re: svn+ssh long-lived daemon Message-ID: <20151121225915.GD2335@tarsus.local2> References: <871tblc0ii.fsf@wandisco.com> <20151120030822.GG2103@tarsus.local2> <87mvu86hu5.fsf@wandisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87mvu86hu5.fsf@wandisco.com> User-Agent: Mutt/1.5.21 (2010-09-15) Philip Martin wrote on Fri, Nov 20, 2015 at 11:17:06 +0000: > Daniel Shahaf writes: > > 3. VPN with key-based authentication, then just use svn:// over the VPN > > subnet. For example, OpenVPN can do this. > > This also requires Subversion authentication over the VPN. The server > still has to configured for Subversion credentials in addition to the > VPN credentials and the user is authenticated twice. > > What I want is a single authentication that only requries a key pair and > a username. You could set up the VPN to dedicate an IP address to each user, and arrange for svnserve to only accept a particular username if the remote IP address is that user's IP address. At that point you don't need to have an ra_svn password at all, svnserve will check the username against the remote IP address, the server doesn't even need to request a password from the user. Security will rely on the VPN IP routing, not on a password. You could arrange something similar with the 'ssh -W' idea: if svnserve listened on multiple IP:port tuples, and .ssh/authorized_keys permitted each user to connect to only one of those IP:port coordinates, svnserve could derive the authenticated username from the port number the connection was accepted on, and no ra_svn-level password will be required, only an SSH key. But zooming out, what's so unreasonable about assigning two authentication secrets to each user? Such as two secret keys, or a secret key and a password that only works in conjunction with that specific key? Requiring "a single secret per user" seems like an arbitrary requirement, you gave no reason for it, theoretically it's unmodelable. What's your concern? Administrative overhead? One employee (an "inside" attacker) impersonating another employee? You mentioned SASL in your first mail but I don't understand why using keys with SASL would require code changes. Using SASL with straight svn:// would probably be easiest solution. Regarding your in-band proxy idea, one minor tweak to it would be to use SCM_CREDS / SCM_CREDENTIALS for the sideband protocol, instead of inventing a custom side protocol. For example, you could have svnserve listen on a unix socket and authorized_keys execute a setgid wrapper, one wrapper per SSH-authenticated identity. The wrapper would act like 'socat STDIO svnserves_unix_socket' and call SCM_CREDS at the right moment. Also, you didn't mention if on-the-wire encryption is a goal, or just authentication. Cheers, Daniel