[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

patch for restricting SSH tunnel access

From: Szabo Peter <szabo.peter_at_szszi.hu>
Date: 2006-06-26 16:04:56 CEST

Dear Subversion Developers,

I have prepared a patch to svnserve, which gives the repository administrator
control over users coming through the SSH tunnel (--tunnel-user), so he can
specify a list of allowed users; everybody else will be denied. (The unpatched
svnserve just grants access to everybody coming with --tunnel--user.) The
patch makes it possible to host several repositories with SSH public key
access on the same server, but restricting access to certain repositories.

The example conf/svnserve.conf configuration file:

  [general]
  use-tunnel-users = yes

  [tunnel-users]
  joe = yes
  jane = yes
  bill = no

Here is the patch:

--- serve.c.orig 2006-06-26 14:20:31.000000000 +0200
+++ serve.c.new 2006-06-26 15:52:31.000000000 +0200
@@ -144,20 +144,30 @@
 {
   *success = FALSE;
 
   if (get_access(b, AUTHENTICATED) >= required
       && b->tunnel_user && strcmp(mech, "EXTERNAL") == 0)
     {
       b->user = b->tunnel_user;
       if (*mecharg && strcmp(mecharg, b->user) != 0)
         return svn_ra_svn_write_tuple(conn, pool, "w(c)", "failure",
                                       "Requested username does not match");
+
+ { char const *value;
+ svn_config_get(b->cfg, &value, "general", "use-tunnel-users", "no");
+ if (0==strcasecmp("yes", value)) {
+ svn_config_get(b->cfg, &value, "tunnel-users", b->user, "");
+ if (value[0]=='\0' || 0==strncasecmp(value, "no", 2))
+ return svn_ra_svn_write_tuple(conn, pool, "w(c)", "failure",
"Tunne
                      l access denied");
+ }
+ }
+
       SVN_ERR(svn_ra_svn_write_tuple(conn, pool, "w()", "success"));
       *success = TRUE;
       return SVN_NO_ERROR;
     }
 
   if (get_access(b, UNAUTHENTICATED) >= required
       && strcmp(mech, "ANONYMOUS") == 0)
     {
       SVN_ERR(svn_ra_svn_write_tuple(conn, pool, "w()", "success"));
       *success = TRUE;

Please tell me what to do to get the patch accepted -- or to restrict SSH
--tunnel-user s without a patch.

Best regards,

Péter Szabó
free software consultant
Free Software Institute, Hungary

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jun 27 14:31:31 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.