[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Writing svn-agent (Was Re: [PATCH] default to --no-auth-cache)

From: <rbb_at_rkbloom.net>
Date: 2003-01-16 17:42:18 CET

On Thu, 16 Jan 2003, Colin Watson wrote:

> On Thu, Jan 16, 2003 at 08:18:55AM -0800, rbb@rkbloom.net wrote:
> > On 16 Jan 2003 cmpilato@collab.net wrote:
> > > IANA-SecurityGuy, but. Can't ra_svn be SSH-tunneled? If so, then it
> > > would seem that that is a good mapping to CVS using :ext:SSH. And by
> > > using mod_dav + SSL and disabling auth caching altogether, isn't that
> > > an exact match of CVS's most secure model?
> >
> > Yes, ra_svn over SSH is exactly what CVS does. ra_dav + SSL without
> > auth-caching is also perfectly secure. The only remaining problem (once
> > passwords are moved out of the wc, is that the default is insecure, and
> > the docs glance over the issue. The reason that svn-agent came up at all
> > is because people want both security and auth-caching, which requires
> > something like svn-agent.
>
> If ra_svn is tunnelled over ssh, why can it not consider ssh to have
> already performed authentication (if indeed it doesn't use this logic
> already)? If so, ssh-agent is sufficient and indeed preferable; you'll
> usually need it anyway to stop ssh prompting for authentication.

If you use ra_svn over ssh, ssh does do the authentication. And,
ssh-agent is required to get passphrase caching.

Ryan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jan 16 17:29:31 2003

This is an archived mail posted to the Subversion Dev mailing list.