[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Error checking out large repository -- illegal padding

From: Ed MacDonald <edmacdonald_at_hotmail.com>
Date: 2004-07-30 02:07:33 CEST

If encryption is the only thing holding you back from using svnserve and the
svn:// protocol, and you are worried about security setting up a bunch of
system accounts, you could try this.

1. Create 1 system account. Lock it down so that it has can open an ssh
shell, but nothing else.
2. Give the account info to your users and have them set up an ssh tunnel
for the svnserv port:
   ssh -L 3690:host.example.com:3690
3. Set up svnserve users db as normal.
4. Pretend svnserve is local and proceed as normal:
   svn co svn://localhost/myrepo

SSH will encrypt the traffic to the server for you, and you'll be using
svnserve for auth/auth.

----- Original Message -----
From: "Andy Helten" <andy.helten@dot21rts.com>
To: "Ben Collins-Sussman" <sussman@collab.net>
Cc: <users@subversion.tigris.org>
Sent: Thursday, July 29, 2004 5:55 PM
Subject: Re: Error checking out large repository -- illegal padding

>
>
> Ben Collins-Sussman wrote:
>
> > Andy Helten wrote:
> >
> >>> Read chapter 6 closely... these are separate methods of using
svnserve.
> >>>
> >> I did read it, about 4 times. I guess my assumption was that the
> >> svn:// access method did not encrypt the repository _data_ (did not
> >> find this explicitly described in the book). Am I wrong here? I
> >> understand authentication is secured by CRAM-MD5, but that doesn't
> >> imply the subsequent repository transfer is secure. Is it? If not,
> >> these access methods are hardly equivalent in terms of security.
> >>
> >
> > You are correct. A client speaking svn:// to an svnserve daemon is
> > not speaking over an encrypted link. (The password never travels over
> > the network in any form... but the main repository data isn't
encrypted.)
> >
> > I never claimed the two methods were equivalent in terms of security.
> > :-) I was just pointing out that one method requires an ssh system
> > account, one does not. Encryption is a separate topic.
> >
>
> So what am I left with? Here is my situation:
> 1) An SVN/Apache/SSL bug is preventing me from checking out my
> repository using HTTPS.
> 2) I am not comfortable with the insecure transfer of the
> repository using svn://
> 3) I don't really want to create system accounts for the folks
> accessing this repository (i.e. no svn+ssh:// if it requires system
> accounts for repository users)
>
> HELP!!!!
>
> Andy
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 30 02:09:09 2004

This is an archived mail posted to the Subversion Users mailing list.