[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSH-like Solution with Apache

From: Phillip Susi <psusi_at_cfl.rr.com>
Date: 2006-01-19 17:28:52 CET

I also have a setup using client certificates for authentication. I
created a self signed certificate on the server and used that to issue
and sign certificates for the client users. Under the /svn section in
the apache.conf I added this:

SSLRequireSSL
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_CN

The last part makes sure apache, and thus, subversion, treats the
connection as logged in as the user name supplied in the CN field of the
client certificate.

With this setup, the client can connect using their certificate, and
optionally encrypt their private key using a password. They can change
the password on the certificate any time using openssl, and even set it
to no password, but that's not a good idea because if someone gets ahold
of that file, they can impersonate you. This may be acceptable on
windows if you let windows encrypt the file with EFS, so it will be
encrypted transparently based on your windows login password.

Daniel Serodio wrote:
> Kevin P. Fleming wrote:
>> Paul Forgey wrote:
>>> Can you use client certificates? svn's configuration leads me to
>>> believe it can send a client certificate when connecting via https.
>>> I don't know if Apache will authenticate based on an SSL client
>>> certificate, but quite honestly I would be surprised if it couldn't
>>> or if somebody hasn't written a module to do it.
>> It already works; I had to make a small change to mod_ssl to get it to
>> work exactly the way that I wanted, but it certainly can be done.
> Do you care to explain this setup? I'm insterested in authentication via
> client certificates too.
>
> Thanks,
> Daniel Serodio

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jan 19 22:13:16 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.