[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: using Subversion over the internet (with Windows?): Howto?

From: Thomas Harold <tgh_at_tgharold.com>
Date: 2006-12-01 06:33:28 CET

Pieter wrote:
> The fact is: I would like to install the less possible, but need a good
> security. Some more specific questions:
>
> - What are the exact possiblity's for doing this? Only with Linux + Apache?
> Or are there others too? what's that svn + ssh stuff?

The advantage of svn+ssh is that:

- You can choose to use public key files to authenticate with the
server. Which means the only place that the passphrase (for the private
key) is needed is on the client. The server only sees the public key
(added to the user's authorized_keys folder). Using key pairs for SSH
access to servers prevents you from being vulnerable to dictionary
attacks on your SSH port (kind of difficult to brute force a 1024 or
2048 bit key).

- You can limit what a particular key pair can do by prefixing the line
in authorized_keys with: command="svnserve -t" -- So even if someone
swipes the private key along with the passphrase used to protect the
private key file, they can still only perform SVN operations on your
repository. That key pair doesn't grant them command-line access on
your repository server.

- SSH is easily tunneled over NAT/firewalls. It's strong encryption and
well regarded.

Apache and HTTPS are also a good solution, but not something that I've
configured yet. Apache very flexible (you could tie into other
authentication schemes like AD or LDAP).

> - I would prefer to have everything on a Windows 2003 server. Is this
> possible?

Maybe... you'll either be using Apache+HTTPS or copSSH (which I haven't
used). We preferred to run SVN on top of Linux where we could take
advantage of Linux stability, OpenSSH's strengths, and running the SVN
server inside a Xen DomU (virtualization).

> - I would like to have a tight security:
> * I need to be able to define which user can commit to which project.
> * Some projects should be absolutely hidden: the existence of it should
> be unknown for some programmers.

I suspect you'll only get this feature if you have separate repositories
for those projects.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 1 06:34:36 2006

This is an archived mail posted to the Subversion Users mailing list.