[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn automatically temporary accept for SSL key?

From: timotheus <timotheus_at_tstotts.net>
Date: 2007-07-17 22:01:14 CEST

"Jason Winnebeck" <jpwasp@rit.edu> writes:

> -----Original Message-----
> From: Konrad Rosenbaum [mailto:konrad@silmor.de]
>
> On Tuesday 17 July 2007, timotheus wrote:
>> How do I make the svn command automatically select temporary key
>> acceptance for https:// method. This appears necessary for cron jobs.
>
> Why temporary?
>
> Do it once manually and accept the SSL-key permanently, then the
> cron-job
> will not have any problems. There is no valid security reason to accept
> a
> key temporarily hundreds of times without even seeing it over just
> accepting it permanently.
>
>
> Konrad
>
> ------------
>
> Also, if you automatically accept any SSL key, you have eliminated
> entirely any security offered by SSL. Just FYI. At least with
> self-signed keys that are blindly accepted the first time you get the
> same level of security as you might from SSH: you know the server is the
> same server as the server from the first connect. With auto-accept, an
> attacker can inject any SSL key they desire and then the only thing you
> get is encryption to the attacker's machine.
>
> Jason

The purpose would be to access repository at:
    https://localhost/somerepo/
but the server is a self-signed SSL certificate, hence the prompt.
No, I would not recommend automatic for remote repository either.

And what about cron job that runs as an unprivilaged user without any
$HOME or shell? Also, even if the user does have a valid $HOME, I find
that `svn' does occasionally forget it's cache for these cron job
unprivilaged users with valid HOME...

-timotheus

  • application/pgp-signature attachment: stored
Received on Tue Jul 17 22:01:16 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.