subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: svnserv + ssh + ldap
Date Mon, 02 Aug 2010 12:22:01 GMT
On Sun, Aug 1, 2010 at 1:37 PM, Mark Phippard <markphip@gmail.com> wrote:
> On Sun, Aug 1, 2010 at 12:59 PM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
>>> AFAIK it's possible to run gnome-keyring without X.
>>
>> It's painful. Take a glance at
>> http://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x,
>> which documents manually editing /etc/pam.d/ login settings. It's also
>> heavily dependent on X libraries.
>
> Subversion and GNOME keyring work well without X.  In your login
> script you just want:
>
> $ export `gnome-keyring-daemon`

Good, but ouch. Let's try adding a bit of rigor, shall we? First,
before running such a daemon, always check that it actually exists,
where you expect it to exist. Running random commands that will handle
passwords which may have been replaced by who knows what somehwere in
your $PATH is always a bad idea. So let's use this instead:

    if [ -x /usr/bin/gnome-keyring-daemon ]; then
        export `gnome-keyring-daemon`
    fi

And .login is not universal. .bash_profile, for example, is more
effective for most bash users. But I take the idea.

Last, it doesn't store the settings for your existing keyrings
anywhere so you don't wind up creating one every time you log in. This
sort of setting is stored for SSH keys by tools like the Perl script
'keychain': I'm not sure there's one like it for the
gnome-keyring-daemon. So it's reasonable, but resource consumptive if
you run multiple logins to the same host, and will tend to clutter
/tmp/. That's serviceable, so I'll actually try that out this week.

> Subversion will prompt you for password to unlock the keyring when it
> is locked.  In logout script you want:
>
> $ kill $GNOME_KEYRING_PID

Nothing personal, but you seem to be casually slapping things into
your configuration scripts with uncertain provenance. The resulting
errors are begging to cause issues in multiplatform environments. Try
something like this instead

     [ -n "$GNOME_KEYRING_PID" ] && kill $GNOME_KEYRING_PID

And for bash users, it goes in .bash_logout.

> One problem is that GNOME does not provide any CLI for working with
> the keyring.  CollabNet created a keyring_tool that lets you do this.
> It is packaged in the RPM we provide for Linux.

Good! Is there some reason it's not in the main Subversion codeline?
Or in a forked off product?

Mime
View raw message