[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: user authentication

From: Max Bowsher <maxb_at_ukf.net>
Date: 2004-11-15 18:26:37 CET

Ray Johnson wrote:
> Sure - I'd be happy to explain in more detail. We are currently using the
> NTAuth stuff in Apache so that users can use the same authentication they
> use
> to log into their computer. We have the following issues with the current
> implementation:
>
> 1) Since SVN 1.1.1 - the "svn log" command has become completely unusable
> for
> us. This is due to the "security fix" where each path in the history of a
> file is checked for security. Since we did a massive import of our
> repository it means the command apparently has to check the security for
> several thousand paths. This causes "svn log" to take longer than 5
> minutes
> for a file of minimal history. As I understand it this is more related to
> path authz - but is related to the whole Apache security package. (Not
> sure
> how much of the cost is authentication on all those paths or just the cost
> of
> looking at so many paths.)

You can trade security for speed if you want, with "SVNPathAuthz Off", IIUC

> 2) The NT Auth stuff requires a user name of "domain\username". Ideally,
> we
> would prefer folks to just put in "username" as the domain is the same for
> everyone. Aside from the "ease of use" issue, it is also a problem for us
> because it makes "svn ls --verbose" useless to us. One would use "svn ls
> --verbose" to see who modified a file in a directory - but svn will
> truncate
> the username to 8 characters - all we ever see is the domain name. If we
> could do our own auth and use username only we could work around "svn ls
> --verbose"'s design flaws.

Isn't there an apache module config directive for this too?
And patches welcome for fixing "svn ls -v".

> 2a) If I was implementing my own authentication I would also make the
> username case insensitive. It is very common for me to have to explain to
> new Subversion users that while everywhere else their username is case
> insensitive - in Subversion it is not.

Well, that depends on what forms you environment of "everywhere else".

Personally, I think case-sensitive is the right way to handle usernames -
but in any case, Subversion inherited case-sensitivity from
linux/apache/ssh.

> 3) The Apache NT Auth stuff does not support NT Groups. While you can set
> up
> your own "groups" in Apache - we would much rather use the Active
> Directory
> groups we are already maintaining to use for path authorization. The
> entire
> point of using the NT Auth stuff is to reduce maintenance points and the
> current implementation doesn't quite go far enough.

If the problem is with apache, possibly the apache lists would be a better
place to discuss?

> A properly designed "hook" for authorization could allow us to fix these
> issues. It would also allow us to use our security model when using the
> "svn:" protocol - which would be nice.

Flexible auth is one of the reasons svn was built on top of apache.
Sure, an auth hook is conceptually possible, but it would require someone
with the motivation to design and code it.

> P.S. - While on the topic of security - I'll also mention that caching the
> users password in clear text is a serious issue on a Windows machine.

How else would you store it?

The clear text is needed to authenticate over the network, so it needs to be
stored or typed each time.

SSH has an existing authentication agent implementation which provides a
middle ground between the two.

Max.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Nov 15 18:27:35 2004

This is an archived mail posted to the Subversion Users mailing list.