subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: Fine and secure dining, was Re: svnadmin create and not being method agnostic
Date Wed, 05 Jan 2011 02:43:23 GMT
On Mon, Jan 3, 2011 at 11:46 AM, Les Mikesell <lesmikesell@gmail.com> wrote:
> On 1/2/2011 9:43 PM, Nico Kadel-Garcia wrote:
>>
>> It's possible to do secure Subversion. Use svn+ssh access, disable or
>> block other services at the firewall,
>
> If ssh is permitted and you didn't personally set it up, what are the odds
> that port tunneling or ssh's built in socks proxy will allow access to every
> service behind the firewall?

It's not ideal: a dedicated shell (such as gitshell) would be
preferable, but there are intelligent tools such as gitosis for
enabling and configuring just such a service. It need only be open for
the single "svn" dedicated user that holds the SSH keys, and the
authorized_keys can be set to restrict commands usable by that SSH key
access to a single command. This is why Kerberized access to such an
svnserve service account is not workable: it's permitted operations
cannot be so limited as the SSH key technology.

It would still be somewhat better than the current setup if that user
used "rssh", but I've not personally succeeded in integrating
Subversion support into that toolkit.

Mime
View raw message