subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jehan procaccia <jehan.procac...@it-sudparis.eu>
Subject Re: svn Farm
Date Fri, 08 Oct 2010 13:52:30 GMT
  Le 08/10/2010 14:54, Andy Levy a écrit :
> On Fri, Oct 8, 2010 at 08:09, Nico Kadel-Garcia<nkadel@gmail.com>  wrote:
>> Also note: both the 'svn' and 'http' access send the passwords ovder
>> the network in clear text. There are ways around this (such as SSH or
>> SSL tunneling), but they're pesky to set up. Fortunately, "https"
>> already has that built in.
> HTTP Digest Authentication does not send the password in cleartext, it
> sends an MD5 hash. Yes, the hash is sent in cleartext, but that is not
> exactly the same as sending the *password* in cleartext.
>
> If you configure your svnserve to use SASL, it can use several methods
> of encryption for authentication.
> http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl
>
> I understand that you're very concerned with security shortcomings,
> but you're leaving out important details that may make the system
> appear less secure than it really can be with proper configuration.

After all, I think I might consider svn+ssh  for large scale svn unix 
command line acces.
here's the scenario,
1) I set and manage all repositories with a unique local unix account 
(for example username svn !), that account issues all "svn create" and 
owns the repos filesystem directories
2) enable the server to resolve ldapusers (pam & nss ldap), so that the 
--tunnel-user=ldapusername option (see 3 below) works.
3) then add ldap users public ssh keys to the authorized_keys of that 
unique svn manager account  as in :
"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX COMMENT"
4)  write a script / web GUI that enable users to push their key in the 
~svn/.ssh/authorized_key
5) copy a centraly managed authz file in every repos/conf/authz file,  
if I understand well svnserve there's no such AuthzSVNAccessFile central 
authz directive as in apache DAV svn !?

Does this scenario make sense ?
I agree step 4 will take some time ...

thanks for you remarks .


Mime
View raw message