[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Writing svn-agent (Was Re: [PATCH] default to --no-auth-cache)

From: Colin Watson <cjwatson_at_flatline.org.uk>
Date: 2003-01-16 17:22:15 CET

On Thu, Jan 16, 2003 at 08:18:55AM -0800, rbb@rkbloom.net wrote:
> On 16 Jan 2003 cmpilato@collab.net wrote:
> > IANA-SecurityGuy, but. Can't ra_svn be SSH-tunneled? If so, then it
> > would seem that that is a good mapping to CVS using :ext:SSH. And by
> > using mod_dav + SSL and disabling auth caching altogether, isn't that
> > an exact match of CVS's most secure model?
>
> Yes, ra_svn over SSH is exactly what CVS does. ra_dav + SSL without
> auth-caching is also perfectly secure. The only remaining problem (once
> passwords are moved out of the wc, is that the default is insecure, and
> the docs glance over the issue. The reason that svn-agent came up at all
> is because people want both security and auth-caching, which requires
> something like svn-agent.

If ra_svn is tunnelled over ssh, why can it not consider ssh to have
already performed authentication (if indeed it doesn't use this logic
already)? If so, ssh-agent is sufficient and indeed preferable; you'll
usually need it anyway to stop ssh prompting for authentication.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jan 16 17:23:28 2003

This is an archived mail posted to the Subversion Dev mailing list.