Dear Subversion Developers,
I have prepared a patch to svnserve, which gives the repository administrator
control over users coming through the SSH tunnel (--tunnel-user), so he can
specify a list of allowed users; everybody else will be denied. (The unpatched
svnserve just grants access to everybody coming with --tunnel--user.) The
patch makes it possible to host several repositories with SSH public key
access on the same server, but restricting access to certain repositories.
The example conf/svnserve.conf configuration file:
[general]
use-tunnel-users = yes
[tunnel-users]
joe = yes
jane = yes
bill = no
Here is the patch:
--- serve.c.orig 2006-06-26 14:20:31.000000000 +0200
+++ serve.c.new 2006-06-26 15:52:31.000000000 +0200
@@ -144,20 +144,30 @@
{
*success = FALSE;
if (get_access(b, AUTHENTICATED) >= required
&& b->tunnel_user && strcmp(mech, "EXTERNAL") == 0)
{
b->user = b->tunnel_user;
if (*mecharg && strcmp(mecharg, b->user) != 0)
return svn_ra_svn_write_tuple(conn, pool, "w(c)", "failure",
"Requested username does not match");
+
+ { char const *value;
+ svn_config_get(b->cfg, &value, "general", "use-tunnel-users", "no");
+ if (0==strcasecmp("yes", value)) {
+ svn_config_get(b->cfg, &value, "tunnel-users", b->user, "");
+ if (value[0]=='\0' || 0==strncasecmp(value, "no", 2))
+ return svn_ra_svn_write_tuple(conn, pool, "w(c)", "failure",
"Tunne
l access denied");
+ }
+ }
+
SVN_ERR(svn_ra_svn_write_tuple(conn, pool, "w()", "success"));
*success = TRUE;
return SVN_NO_ERROR;
}
if (get_access(b, UNAUTHENTICATED) >= required
&& strcmp(mech, "ANONYMOUS") == 0)
{
SVN_ERR(svn_ra_svn_write_tuple(conn, pool, "w()", "success"));
*success = TRUE;
Please tell me what to do to get the patch accepted -- or to restrict SSH
--tunnel-user s without a patch.
Best regards,
Péter Szabó
free software consultant
Free Software Institute, Hungary
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jun 27 14:31:31 2006