[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve authentication without passwd file

From: Florian Pose <florian_at_keenkiwi.de>
Date: 2006-03-09 20:39:54 CET

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phillip Susi wrote:
> Subversion has no understanding of user logins of any particular OS. If
> you are using SSH then the user either has to supply a password or a
> private key. That private key may be obtained from ssh-agent if the
> user is using that and set up their environment to tell ssh to talk to
> ssh-agent, but subversion has no concept of login beyond the fact that
> ssh can connect to the server.

I noticed that Subversion treats SSH-tunneled connections as
"authenticated" and sets the user name in the logs correctly. If I
connect to the repository via local- or svnserve-access, the connection
is treated as "unauthenticated" by default.

I inferred, that the tunneled access gets a special treatment. I just
wondered how this is done and if it can be done similarly in non-SSH
connections.

> What makes you think that SSH adds too much overhead? It only adds a
> little cpu load to the client and server; you really shouldn't notice it.

When there is no need for the strong encryption SSH provides, why then
burden the server with the extra load?

> You can use https instead and authenticate with a client certificate,
> but AFAIK, there isn't anything like ssh-agent for SSL certificates, so
> either the user will have to enter their password each time to decrypt
> their certificate, or store the certificate on disk unencrypted, which
> isn't good for security since anyone who manages to read that file can
> impersonate the user.

Since the repository is used only in the intranet (or from outside
through VPN), the Apache solution is not really interesting for me.

Thanks,
Florian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEEISITSAdWevar50RArNnAJ90vEujpyyNGUpnbQpdOj0AqnhrLgCgslQc
+jKkF1mXfL0xksHK1JerI9c=
=3h2V
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 9 20:41:52 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.