If the bot thinks I am an external sender, then what URL do I send to so it doesn't think this? I have registered and gotten a confirmation "WELCOME to users@subversion.tigris.org" message. I am sending to users@subversion.tigris.org. Is this wrong?
Pete
-----Original Message-----
From: Van Echaute, Peter
Sent: Wednesday, December 22, 2004 1:43 PM
To: users@subversion.tigris.org
Subject: [Warning: External Sender. Domain Possibly Forged] svn + apache + ssl
Hello All,
I hope your all having a good holiday season so far. I'm attempting to setup a SVN server. My machine is RHEL 3 using Apache 2.0.52, mod_ssl 2.0.52, OpenSSL 0.9.7a, DAV 2, and SVN 1.1.1. What I would like to accomplish is svn access through Apache and being authenticated using a single SSL x509 cert. I have a group of local accounts that are chroot jailed, so straight svn access isn't something I can do (ex: svn co svn://ip/svn/repo). So what I forsee is access through Apache which doesn't go through the local accounts (ex: svn co https://ip/svn/repo). I understand that during the checkout, that it stores user credentials. My problem is that I can 'co' just fine, but I can't edit and then commit. Here is the command I used to create the working copy...
svn co --username testaccount --password testaccount https://192.168.1.254/svn/design
I created an account called 'testaccount'. Here is the config portions that are relavent...
httpd.conf..
<Location /svn>
DAV svn
SVNParentPath /usr/local/subversion/repositories
# our access control policy
AuthzSVNAccessFile /usr/local/subversion/svn-auth-users-access
# try anonymous access first, resort to real
# authentication if necessary.
Require valid-user
SSLVerifyClient require
SSLVerifyDepth 2
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /usr/local/subversion/httpd-svn-auth-users-pw
</Location>
NOTE: The AuthUserFile directive above and the password-db are two different files but httpdxxx is htpasswd encrypted and the svn-authxxx is plain text. Both containing the same info though.
svnserve.conf...
[general]
password-db = /usr/local/subversion/svn-auth-users-pw
realm = Design Engineering
# anonymous users aren't allowed
anon-access = none
# authenticated users can both read and write
auth-access = write
the svnserver is run as svn...
svn 32481 0.0 0.0 4936 940 ? S Dec21 0:00 /usr/local/bin/svnserve.orig -d -T -r /usr/local/subversion/repositories
I created the repo as such...
svnadmin create /usr/local/subversion/repositories/design
chown -R svn:svn *
chmod 775 design
chmod -R g=u design
/usr/local/bin/htpasswd -m /usr/local/subversion/httpd-svn-auth-users-pw testaccount
cat /usr/local/subversion/svn-auth-users-access
[groups]
everyone = testaccount
testaccount-host = 192.168.1.23
[design:/]
@everyone = rw
[testaccount-host]
ssl-client-cert-file = /usr/local/conf/ssl.users/sslusers.p12
ssl-client-cert-password = blah
I have created three sets of SSL certs (CA, Server, Client)...
ls /usr/local/conf/ssl.key
ca.csr ca.key server.csr server.key sslusers.csr sslusers.key
ls /usr/local/conf/ssl.crt
ca.crt server.crt sslusers.crt
ls /usr/local/conf/ssl.users
sslusers.p12
I'm not sure what else to add here, but here is my problem...
svn co -username testaccount -password testaccount https://192.168.1.254/svn/design
svn commit -m "testing." --username testaccount --password testaccount
Authentication realm: https:// 192.168.1.254:443
Client certificate filename: /home/testaccount/sslusers.p12
Passphrase for '/home/testaccount/sslusers.p12':
Sending nforce4/Config.lb
Transmitting file data .svn: Commit failed (details follow):
svn: PUT of '/svn/design/!svn/wrk/93cedd7b-d8eb-0310-b2c4-90868bc6e483/freebios2/targets/nvidia/nforce4/Config.lb': 403 Forbidden (https:// 192.168.1.254)
Any help is greatly appreciated. Happy Holidays.
Cheers,
Pete
Received on Wed Dec 22 22:32:26 2004