Return-Path: X-Original-To: apmail-subversion-dev-archive@minotaur.apache.org Delivered-To: apmail-subversion-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 466D3181BA for ; Fri, 20 Nov 2015 06:36:25 +0000 (UTC) Received: (qmail 43249 invoked by uid 500); 20 Nov 2015 06:36:25 -0000 Delivered-To: apmail-subversion-dev-archive@subversion.apache.org Received: (qmail 43192 invoked by uid 500); 20 Nov 2015 06:36:25 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 43175 invoked by uid 99); 20 Nov 2015 06:36:24 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Nov 2015 06:36:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 2A268C4E48 for ; Fri, 20 Nov 2015 06:36:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=visualsvn.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id NZ3FbeVeQqrC for ; Fri, 20 Nov 2015 06:36:17 +0000 (UTC) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 6F5EF42AEE for ; Fri, 20 Nov 2015 06:36:17 +0000 (UTC) Received: by lbbcs9 with SMTP id cs9so56509654lbb.1 for ; Thu, 19 Nov 2015 22:36:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=visualsvn.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=8ZbEX7Wd5bMsUxifVxuqZly6Pi26ozAIIVbzuWcueBw=; b=AU9dWyDxzKHV7cHKCVquqkP57/qI+k7PRvwNJYKAeTUmZdELHHhSloWJfMrAAGJqjI jyu0Lg4hpY4uASTwTZUxzAnMdagabqmGOY6rtm+bzqatK9mhsm7fpicdsG/r1Ev3P3MO ZXC+HXZNz3O2BSYoDP8SEm5nlMyxLoZaiJJXc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8ZbEX7Wd5bMsUxifVxuqZly6Pi26ozAIIVbzuWcueBw=; b=Cb+IGsKnQ8LCE5cktoqW9cQEM0VzXlnX8hKsjlJhUdHUUgIK6mfIO5y5RNrR5qZRrv u3ITGlSq2AU4I8Mxp8GAk/fr/gTLs5cHSqRoWCKtHMBKJ2cMyCeB4KnUopnPUUv0qPc0 2BKNJPomQdygo9Q7jGfJ+8a37rMXc1ZCdFEi5etWUOId+IYE7uJc/FAfnEOcI0ZTn4vy Rs7TrnfTIvFfqmezgCc/0D8Qw1GGQ3pLSOrAoe0awoQRymBScu/CYdL8/EYWvWGPbK2h g5EhlNWLGqTz5BKFc8ypz43Vkoj4xjUpL5YeKQE00O1g88ZiqHn2noKfqnNKkwolz4HL Vdhg== X-Gm-Message-State: ALoCoQnm7JTZMMCzQ2Ewk9hxERm7j0cf75tvb2sIIYc2efixhKKvSvu4cTcO26haP8bH1GYSFBxQ X-Received: by 10.112.181.225 with SMTP id dz1mr4196740lbc.103.1448001376221; Thu, 19 Nov 2015 22:36:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.44.204 with HTTP; Thu, 19 Nov 2015 22:35:56 -0800 (PST) In-Reply-To: <20151120030822.GG2103@tarsus.local2> References: <871tblc0ii.fsf@wandisco.com> <20151120030822.GG2103@tarsus.local2> From: Ivan Zhakov Date: Fri, 20 Nov 2015 09:35:56 +0300 Message-ID: Subject: Re: svn+ssh long-lived daemon To: Daniel Shahaf Cc: Philip Martin , dev@subversion.apache.org Content-Type: text/plain; charset=UTF-8 On 20 November 2015 at 06:08, Daniel Shahaf wrote: > Philip Martin wrote on Thu, Nov 19, 2015 at 18:22:29 +0000: >> Are there alternative ways to get a long-lived daemon to do >> authentication with public/private key pairs? > > 1. Plain old ssh port forwarding: > > server# svnserve -d > client% ssh -MNf -L 3690:localhost:3690 $remotebox > client% svn info svn://localhost/myrepos > > 2. Same, but without allocating a TCP port on the client: > > server# svnserve -d > client% cat .subversion/config > [tunnels] > office = $SVN_OFFICE ssh -W localhost:3690 svn.office.com.example ;: > client% svn info svn+office:///myrepos > > The ";:" at the end is to ignore the "svnserve -t" string that gets > appended to the command line after stripping the variable and before > passing it to system(). The URI has an an empty "host:port" part > because the tunnel hardcodes the hostname. The client might still run > 'ssh -MNf' beforehand, but unlike in #1 where running ssh manually was > required, here it is merely a performance optimization. > > "ControlPath" may need to be set in ssh_config(5). > > 3. VPN with key-based authentication, then just use svn:// over the VPN > subnet. For example, OpenVPN can do this. > > 4. An ra_svn proxy that adds authentication info. The server runs > 'svnserve -i --listen-host=localhost' and sshd. In > .ssh/authorized_keys, instead of running socat as in your description, > run a proxy that understands the ra_svn protocol, intercepts > server-to-client authentication requests and answers them with > credentials determined as a function of the authenticated ssh identity, > and passes everything else back-and-forth unmodified. > 5. HTTPS authentication using client certificates -- Ivan Zhakov