Re: a few nits setting up svn...

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-02-13 03:07:59 CET

Perry E. Metzger wrote:

> Er, unfortunately, for good or ill, many people need to use
> ssh. Sometimes this is simple good security sense -- you want to avoid
> opening additional attack vectors for a machine.
>
> Given that, what might I be able to do to tighten down the on-machine
> security without adding another bunch of code to audit talking
> off-machine?

SSH isn't the only "safe" way to access a computer.

One solution is to use apache as your svn server, with SSL. Clients
access via https://. You can even use client certificates if you're
extra paranoid. Either way, traffic is encrypted. And the accounts
aren't Unix accounts: they're in an apache user db. Apache+SSL has a
pretty darn good track record for security.

Another solution is to stick with svn:// and 'svnserve -d', but bind the
svnserve daemon only to localhost. If your users already have SSH
access, have them open an SSH tunnel to the server, and tunnel your
svn:// session over that. You get all the security of SSH, and avoid
the permissions headache of svn+ssh://.

I'm just brainstorming here.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Feb 13 03:09:01 2004

This message: [ Message body ]
Next message: Alexander Johannesen: "A few questions"
Previous message: Simon Kitching: "Re: a few nits setting up svn..."
In reply to: Perry E. Metzger: "Re: a few nits setting up svn..."
Next in thread: Perry E. Metzger: "Re: a few nits setting up svn..."
Reply: Perry E. Metzger: "Re: a few nits setting up svn..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]