[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authentication

From: Mark Welch <mark_at_collab.net>
Date: 2001-09-04 20:27:20 CEST

As for associating client-side certs with usernames, most of the time
the cert DNs don't match usernames, so there may need to be an
intermediate module of some kind to tie the two together.

The server side doesn't appear to be a big issue, as you point out. What
I wonder about, being somewhat new to this list, is what current
thinking is like on the client side. I interpreted Ben's comments about
handing off authentication tokens to refer to the client -- was I mistaken?

--mark

Sander Striker wrote:

>>On Tue, 4 Sep 2001, Sander Striker wrote, quoting Daniel Rall:
>>
>>>>Sometimes multiple layers of authentication are desired (i.e. both
>>>>user/password and certs).
>>>>
>>>AFAIK this is possible to do in apache (the example you provide).
>>>
>>>I don't see this as desired though. A cert should be enough,
>>>it identifies and authenticates the user. Can you give me an
>>>example of where it isn't (with subversion in mind)?
>>>
>>Two-factor auth: something you have (certs) and something you know
>>(password/phrase). It helps keep things secure in the face of lost
>>laptops, accidentally revealed passwords, and other edge cases.
>>
>> Brian
>>
>
>Yes, ofcourse. Doh! :)
>But, isn't this already possible with apache?
>
><Location /some/where>
> # something you have
> SSLRequireSSL
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> # something you know
> AuthType Digest
> AuthName "Restricted Directory"
> AuthUserFile /svn/users
> AuthGroupFile /svn/groups
> Require group svn
></Location>
>
>Ofcourse, this doesn't take into account that the username
>in the cert is equal to the username supplied. So, maybe an
>extra mod_auth_xxx is in order (or I am missing something).
>
>Sander
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 21 14:36:39 2006

This is an archived mail posted to the Subversion Dev mailing list.