On Thu, 2004-06-03 at 23:20, Ng, Wey Han wrote:
> So the subversion server is a stand alone server
> and will not have the users account in the box. I do not feel the need to
> give shell access to all the developers using subversion.
Well, here are some svn+ssh options you might not have considered:
Option #1: Set up a system account for each user. Use the
authorized_keys "command" directive to force the command to svnserve
-t. Use a group to control access to the repository; make sure the
repository db directory is chmodded to g+s and use an svnserve wrapper
or equivalent to ensure that a correct umask is used. See
http://svnbook.red-bean.com/svnbook/ch06s05.html for details.
Option #2: Set up just one svn system account, but have a different key
for each user. Use the authorized_keys "command" directive to force the
command to "svnserve -t --tunnel-user=whatever" for each user. Caveat:
the "tunnel-user" option isn't available in 1.0, so you'd have to use
trunk svn or port the feature back. The same would be true of any
change to avoid storing passwords in cleartext, of course.
(You do have to use pubkey auth for either of these options; as far as I
know, password auth won't cut it. Just make sure the relevant system
accounts don't have a password set, i.e. put "*" in the password field.)
> User management need not be complicated. I have in fact written a cgi script
> for the user to change their password over the web and it is simple.
Uh, sure, but presumably that requires setting up a web server, which
sort of defeats the point of svnserve.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 05:41:36 2004