On 2010-02-01 08:20, Andy Levy wrote:
> On Mon, Feb 1, 2010 at 07:17, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
> > Good morning:
> >
> > I've got a group that wants to use a Subversion repository in-house,
> > but doesn't want to deal with SSH keys. (And the storage of passwords
> > in cleartext blocks me from recommending https access, and I don't
> > want to deal with plain-text password management for svnserve..
>
> What storage of passwords in cleartext blocks? For HTTP(S), you create
> the password with htdigest and it's stored encrypted on the server &
> Digest Authentication (not plain-text) is used. On the client, if
> you're using Windows, it's stored using the Windows Crypto API, on
> MacOS it's stored using Keychain, and on *NIX, you can configure it to
> use the secure password "wallets" provided by KDE and GNOME.
>
> For svnserve, yes, you need the password in plaintext on the server
> (it'll be encrypted on the client as above, but everything over the
> wire is unencrypted), but if HTTP(S) is still an option on the table,
> there are plenty of ways to keep things encrypted.
When using GSSAPI for svnserve the session is encrypted and you don't
need to store clear-text credentials anywhere, and you get an integrated
identity store (Active Directory or your KDC/LDAP server), and you don't
have to manage SSL certificates, and svnserve is substantially faster
than HTTPS. This makes svnserve+GSSAPI a really attractive solution for
people who have a Kerberos or Active Directory infrastructure in place.
Subversion supports this out-of-the-box on Ubuntu, Gentoo, FreeBSD,
non-broken versions of OSX (as I recall the latest OSX has a broken
SASL), so it'd be nice if TortoiseSVN would support it too.
To get TortoiseSVN to do GSSAPI, you need to build a saslGSSAPI.dll
module for Cyrus SASL and copy that module into the directory that
contains the other SASL modules. For TortoiseSVN, this is usually the
%ProgramFiles%\TortoiseSVN\bin directory.
The hard part is building a saslGSSAPI.dll module. I've only done it
against MIT Kerberos for Windows. Download and install MIT KfW and be
sure to include the developer headers and libraries. Follow the Cyrus
SASL build documentation for Windows and tweak their Makefiles to use
the MIT KfW headers and libs. You should copy the resulting
saslGSSAPI.dll into the TortoiseSVN bin directory and you should be good
to go. This does mean all clients will need MIT KfW installed in
addition to the saslGSSAPI.dll.
Someone with a lot of Windows expertise may be able to figure out how to
get SASL to link against Microsoft's LSA to do GSSAPI, but I'm a Unix
guy.
--
Alec.Kloss_at_oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
- application/pgp-signature attachment: stored
Received on 2010-02-01 15:19:10 CET