[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve authentication without passwd file

From: Florian Pose <florian_at_keenkiwi.de>
Date: 2006-03-09 21:49:37 CET

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phillip Susi wrote:
> That is because subversion doesn't even know you are connected remotely
> with the ssh tunnel. SSH logs in to the server, and invokes subversion
> just as if you were logged on locally at the server. The server doesn't
> handle any part of the login. When you run svnserve, it is listening
> for connections and it must authenticate the user.

I know this, since it all stands in the book. Why are
svn+ssh-connections treated as authenticated by default (see below)?

$ svnadmin create rep
$ emacs rep/conf/svnserve.conf (set anon-access to "none")
$ svn co svn://localhost/.../rep wc1
svn: No access allowed to this repository
$ svn co svn+ssh://localhost/.../svn-auth/rep wc1
Ausgecheckt, Revision 0.

If, as you say, svnserve doesn't care about how it is invoked, why this
behavior?

>> When there is no need for the strong encryption SSH provides, why then
>> burden the server with the extra load?
>
> I think this is another case of wrong optimization. Optimize the
> bottleneck first. Unless you have done some profiling and know that ssh
> is chewing up a lot of time, then you are barking up the wrong tree.
> I'll bet money that the extra cpu overhead that ssh adds is negligible,
> but the only way to know for sure is to profile it.

I, too, assume that ssh adds no significantly load to the server, and
this isn't worth discussing about, but why use an additional technology
that gives me no overvalue?

>> Since the repository is used only in the intranet (or from outside
>> through VPN), the Apache solution is not really interesting for me.
>
> Why not? It does what you need, so what's the fact that you're only
> using it on a local network got to do with it? Also it frees you from
> having to use the kludgey VPN junk to access the repository securely
> from anywhere in the world.

I don't want a security discussion, but setting up a public webserver
just to handle subversion access seems to be ripping up more possible
security holes than using it with the VPN that runs anyway. Moreover,
the VPN technology used (OpenVPN) uses SSL, too.

Best regards,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEEJTfTSAdWevar50RAmyoAKCL1BLWYsMZLTr11r3Ovxw5Q0EyxwCfVCeU
rW6LgKyxrcXLlgo4Yhkm2Ho=
=Lndd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 9 21:51:14 2006

This is an archived mail posted to the Subversion Users mailing list.