[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

AW: mod_authz_svn + ssl + certificates doesn't work?

From: Hunkel, Manfred <M.Hunkel_at_t-systems.com>
Date: 2004-03-30 14:11:41 CEST

ad (1): Correct. Using basic authentication, you must have a htpasswd-file.

ad (2): Anybody else reading this? Correct me if I'm mistaken here, but
the mechanism of authz_svn always requires a username (possibly a member of
a group as defined in its access file), no matter how this name is being obtained.
In other words: No username, no authorisation check via authz_svn. As far as I know,
it's impossible to correlate certificate credentials with repos paths in the
access control file.

So, yes, you're right. There's no enforced (or rather: definable!) correlation between
the certificate and the name basic auth yields.

What you're looking for is a piece of magic that, given a certificate, pulls an associated
username out of its hat in order to enable authorisation. Correct?

The module cannot refuse access because didn't _receive_ a username. It cannot _derive_
one! When it doesn't receive one (as e.g. from basic auth), it sees no need to check authorisation.

-----Ursprüngliche Nachricht-----
Von: Hermann Voßeler [mailto:hermann.vosseler@baaderbank.de]
Gesendet am: Dienstag, 30. März 2004 13:36
An: users@subversion.tigris.org
Betreff: Re: mod_authz_svn + ssl + certificates doesn't work?

Hunkel, Manfred wrote:
> Exactly my point:
> authz_svn must be passed a user name, no matter how authentication is achieved.
> What's the content of your access file, then? There _are_ names in there, right?
Exactly. *When* I use a access file, then there are names and PWs in
there. And in this case, there is no enforced correlation to the CN or
DN of the Certificate. And acces control is based /solely/ on the name
retrieved by basic auth via access file (ist that right?)

But -- I pointed this out before -- we want to aviod using a acess file.
We plan to integrate with a PKI. The useres will have USB-dongles with
their Certificates, that's all.

And this is the problem:
1) If I use "require valid user", then it seems I am forced to have
    a htpasswd file and additional names/PWs in it and acess control
    is based on this names *solely*
2) If I remove "require valid user" and retain only
    "SSLVerifyClient require", then authz_svn doesn't impose any
    access restrictions. It seems simply to ignore everything and
    grant full RW access to everyone (who, of course, has a valid
    My impression is, that at least this module should *refuse*
    access for everyone because it can not derive any valid userid
    to base acces on. Or am I wrong?


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 30 14:15:30 2004

This is an archived mail posted to the Subversion Users mailing list.