[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PAM authentication

From: Jon Bendtsen <jon.bendtsen_at_laerdal.dk>
Date: 2005-07-29 18:30:48 CEST

Den 29. jul 2005 kl. 18:12 skrev David Anderson:

> Jon Bendtsen wrote:
>
>> I've always wondered why SVNSERVE does not support PAM. CVS does, and
>> isnt subversion supposed to be an replacement for CVS?
>>
>
> CVS supports it? That's news to me. You mean some weird hack added on
> top of CVS supports it?

Well, my cvs pserver in debian supports pam.

> Looking throught the archives of the cvs list, there is an unofficial
> patch in the CVS issue tracker to hack PAM support into CVS. It
> doesn't
> seem to be in the mainline, even after 4 years or so of waiting in the
> issue tracker.

That may be true

>> My users complain that using svn+SSH takes twice the time than a user
>> added to the password file in the conf directory.
>>
>
> I am in total comprehension failure here. What does PAM have to do
> with
> the passdb in the repository configuration? Surely, adding PAM
> authentication support to svnserve would let you authenticate against
> system facilities, and would be at least as unwieldy to set up as a
> shell account for svn+ssh, if not more because of the PAM
> reconfiguration required.

I have an existing setup where every user has a ssh account. They can
even
ssh in using their windows username because of pam_winbind.

However, when using svn+ssh, checkout takes twice as long as if i
manualy
add them to the password database that SVNSERVE does support.
However, after getting http to use pam, then it takes about the same as
SVNSERVE. Measured by a stopwatch, noting scientific.
So, i guess that encryption/decryption is the bottleneck? Maybe, but the
server is a 3GHz P4, and so are the clients. So i didnt expect that much
of a drop in speed.

>> i guess i can use apache2, i just figured that it is strange that
>> SVNSERVE does not support PAM, which is pretty much the standard unix
>> auth.
>>
>
> It is the standard-ish linux auth, I'll grant you that. But standard
> Unix auth? That's perhaps going a little far. What about the BSDs?

I remember having read about solaris and pam, so i figured that everyone
could use them. I can not possible imagien that *BSD does not use pam.

> Anyhow, extended authentication support in svnserve is on the todo. It
> isn't done yet because there were more important things to do (the new
> repository backend, locking, performance enhancements) and that nobody
> picked up the task. If you put aside the few Svn devs who work on
> Subversion for a living, this is your standard open source project:
> if you require something that nobody else cares about in the
> immediate future, you either step in and do it, pay someone to step
> in and do it, or be patient until someone steps in and does it.

I know i know, and it is not that importent since we do have
mod_auth_pam for apache.
I just wondered, thats it.

> My current todo list is quite full at the moment with
> authentication and authorization enhancements to svnserve, notable
> SASL integration. If the SASL library we choose when I get there
> natively allows using PAM as an authentication backend, then you're
> in luck. Otherwise, we don't have much choice but wait until
> someone comes along and picks up this todo.
>
> The other option, as I said above, if you really really need PAM
> right now this instant, would be to pick up a contract with
> CollabNet (not sure they do feature-request contracts, but it can't
> hurt to ask) or a freelance developer knowledgeable with Subversion
> and have the feature implemented by paid employees.

I got it to work using apache2. But it did take some time. Maybe the
documentation could
directly mention that mod_auth_pam exists.

Sure there are still some things i'd like better, like being able to
use groups as well, but i can
get that semi working by using scripts to read the groups and stuff
the members into the
     AuthzSVNAccessFile
It's harder to stuff users and encrypted passwords into a file. But
groups are easy.

However, that SASL you talk about does sound interresting, i hope it
works out.

JonB

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 29 18:34:09 2005

This is an archived mail posted to the Subversion Users mailing list.