On Fri, Jul 30, 2010 at 1:19 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Fri, Jul 30, 2010 at 12:17:50PM -0400, Nico Kadel-Garcia wrote:
>> On Fri, Jul 30, 2010 at 8:49 AM, Stefan Sperling <stsp_at_elego.de> wrote:
>> > On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote:
>> >> Don't use LDAP. One problem is that it will allow multiple users
>> >> filesystem access to the Subversion repository, and *SOMEONE* is
>> >> likely to screw it up for everyone else by trying to manually edit
>> >> something in the repository in a large environment with multiple
>> >> developers.
>> >
>> > I don't see any way how using LDAP with Subversion would allow local
>> > filesystem access to users. Can you explain?
>>
>> It has to allow local filesystem access on the Subversion server
>> itself: the Subversion repository needs to be accessible to the LDAP
>> clients on that host.
>>
>> My use of the phrase "local filesystem accesm" was unclear in this matter.
>
> I still don't understand what kind of setup you are describing.
> Is this with SSH or svnserve + SASL?
I was describing LDAP authentication for ssh+svn. This can actually be
done with GSSAPI enabled SSH servers, such as with OpenSSH 5.x. The
difficulty with it is that, without quite a lot of extra work, it
relies on normal shell access to the SVN server to open the svnserve
session. The use of authorized_keys for SSH works well to restrict
this, but it's not LDAP authentication.
> $ svn checkout https://www.example.com/repository/trunk repository_trunk
> Authentication realm: <https://www.example.com> Example
> Password for 'user':
> -----------------------------------------------------------------------
> ATTENTION! Your password for authentication realm:
>
> <https://www.example.com> Example
>
> can only be stored to disk unencrypted! You are advised to configure
> your system so that Subversion can store passwords encrypted, if
> possible. See the documentation for details.
>
> You can avoid future appearances of this warning by setting the value
> of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
> '/home/user/.subversion/servers'.
> -----------------------------------------------------------------------
> Store password unencrypted (yes/no)?
>
> If you have suggestions for improving this warning, they are welcome.
> But I think it is pretty straightforward already?
It's staightforward: I was referring to its character as a warning,
which it certainly is.
> Sounds like you have not understood how to set up svn+ssh:// securely.
> If you set svn+ssh:// access up securely by restricting the command
> users can execute to the svnserve binary (as advised in the
> documentation), there is no such issue.
I understand it. (As a hint, I wrote the early SSH ports for ssh-1,
ssh-2, and OpenSSH to SunOS: I'm very farmiliar with SSH.)
I use authorized_keys, and have written previous guidelines and
suggestions how to do so in at least 4 corporate environments. For
LDAP based SSH access, well, you don't get authorized_keys based
command line restrictions, now do you?
> If you know of a way to change hook scripts by talking svn protocol
> to the svnserve binary, please let us know how you do it.
> Because, yes, that would be a security issue.
>
> Stefan
No, no. It's the integration of LDAP authentication the interferes
with restricting the ssh+svn access to strictly ssh+svn, and allows
access to the filesystem of the Subversion server via ssh, scp, and
possibly sftp.
Received on 2010-07-30 23:52:19 CEST