[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Warning: External Sender. Domain Possibly Forged] svn + apache + ssl

From: Jeremy Pereira <jeremy.pereira_at_ntlworld.com>
Date: 2004-12-22 23:01:24 CET

On Dec 22, 2004, at 21:14, <Peter.VanEchaute@bench.com> wrote:

> If the bot thinks I am an external sender, then what URL do I send to
> so it doesn’t think this?  I have registered and gotten a confirmation
> “WELCOME to users@subversion.tigris.org” message.  I am sending to
> users@subversion.tigris.org.  Is this wrong?

I would guess that it's your mail gateway inserting that into the
subject. The warning wasn't in my copy of your original message.

The mailing list doesn't alter the from address (and possibly the
envelope sender?) so the message we all got appears to have come from
you even though it actually came from the Subversion mailing list
server. Your gateway has picked this up and realised that a message
apparently from you has come from outside of your network.

>
>  
>
> Pete
>
>  
>
> -----Original Message-----
> From: Van Echaute, Peter
> Sent: Wednesday, December 22, 2004 1:43 PM
> To: users@subversion.tigris.org
> Subject: [Warning: External Sender. Domain Possibly Forged] svn +
> apache + ssl
>
>  
>
> Hello All,
>
>  
>
> I hope your all having a good holiday season so far.  I’m attempting
> to setup a SVN server.  My machine is RHEL 3 using Apache 2.0.52,
> mod_ssl 2.0.52, OpenSSL 0.9.7a, DAV 2, and SVN 1.1.1.  What I would
> like to accomplish is svn access through Apache and being
> authenticated using a single SSL x509 cert.  I have a group of local
> accounts that are chroot jailed, so straight svn access isn’t
> something I can do (ex: svn co svn://ip/svn/repo).  So what I forsee
> is access through Apache which doesn’t go through the local accounts
> (ex: svn co https://ip/svn/repo).  I understand that during the
> checkout, that it stores user credentials.  My problem is that I can
> ‘co’ just fine, but I can’t edit and then commit.  Here is the command
> I used to create the working copy…
>
>  
>
> svn co --username testaccount --password testaccount
> https://192.168.1.254/svn/design
>
>  
>
> I created an account called ‘testaccount’.  Here is the config
> portions that are relavent…
>
>  
>
>  
>
>  
>
> httpd.conf..
>
> <Location /svn>
>
> DAV svn
>
> SVNParentPath /usr/local/subversion/repositories
>
>  
>
> # our access control policy
>
> AuthzSVNAccessFile /usr/local/subversion/svn-auth-users-access
>
>  
>
> # try anonymous access first, resort to real
>
> # authentication if necessary.
>
> Require valid-user
>
>  
>
> SSLVerifyClient require
>
> SSLVerifyDepth  2
>
>  
>
> # how to authenticate a user
>
> AuthType Basic
>
> AuthName "Subversion repository"
>
> AuthUserFile /usr/local/subversion/httpd-svn-auth-users-pw
>
> </Location>
>
>  
>
>  
>
> NOTE: The AuthUserFile directive above and the password-db are two
> different files but httpdxxx is htpasswd encrypted and the svn-authxxx
> is plain text.  Both containing the same info though.
>
>  
>
>  
>
> svnserve.conf…
>
> [general]
>
> password-db = /usr/local/subversion/svn-auth-users-pw
>
> realm = Design Engineering
>
>  
>
> # anonymous users aren't allowed
>
> anon-access = none
>
>  
>
> # authenticated users can both read and write
>
> auth-access = write
>
>  
>
>  
>
>  
>
> the svnserver is run as svn…
>
> svn      32481  0.0  0.0  4936  940 ?        S    Dec21   0:00
> /usr/local/bin/svnserve.orig -d -T -r
> /usr/local/subversion/repositories
>
>  
>
>  
>
>  
>
> I created the repo as such…
>
> svnadmin create /usr/local/subversion/repositories/design
>
> chown -R svn:svn *
>
> chmod 775 design
>
> chmod -R g=u design
>
> /usr/local/bin/htpasswd -m
> /usr/local/subversion/httpd-svn-auth-users-pw testaccount
>
>  
>
>  
>
>  
>
> cat /usr/local/subversion/svn-auth-users-access
>
> [groups]
>
> everyone = testaccount
>
> testaccount-host = 192.168.1.23
>
>  
>
> [design:/]
>
> @everyone = rw
>
>  
>
> [testaccount-host]
>
> ssl-client-cert-file = /usr/local/conf/ssl.users/sslusers.p12
>
> ssl-client-cert-password = blah
>
>  
>
>  
>
>  
>
>  
>
> I have created three sets of SSL certs (CA, Server, Client)…
>
> ls /usr/local/conf/ssl.key
>
> ca.csr  ca.key  server.csr  server.key  sslusers.csr  sslusers.key
>
>  
>
> ls /usr/local/conf/ssl.crt
>
> ca.crt  server.crt  sslusers.crt
>
>  
>
> ls /usr/local/conf/ssl.users
>
> sslusers.p12
>
>  
>
>  
>
>  
>
> I’m not sure what else to add here, but here is my problem…
>
>  
>
> svn co –username testaccount –password testaccount
> https://192.168.1.254/svn/design
>
> svn commit -m "testing." --username testaccount --password testaccount
>
> Authentication realm: https:// 192.168.1.254:443
>
> Client certificate filename: /home/testaccount/sslusers.p12
>
> Passphrase for '/home/testaccount/sslusers.p12':
>
> Sending        nforce4/Config.lb
>
> Transmitting file data .svn: Commit failed (details follow):
>
> svn: PUT of
> '/svn/design/!svn/wrk/93cedd7b-d8eb-0310-b2c4-90868bc6e483/freebios2/
> targets/nvidia/nforce4/Config.lb': 403 Forbidden (https://
> 192.168.1.254)
>
>  
>
>  
>
>  
>
> Any help is greatly appreciated.  Happy Holidays.
>
>  
>
> Cheers,
>
> Pete
>

--
Jeremy Pereira
http://www.jeremyp.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 22 23:03:55 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.