On 12/1/2006 12:33 AM, Thomas Harold wrote:
> Pieter wrote:
>> The fact is: I would like to install the less possible, but need a good
>> security. Some more specific questions:
>>
>> - What are the exact possiblity's for doing this? Only with Linux + Apache?
>> Or are there others too? what's that svn + ssh stuff?
>
> The advantage of svn+ssh is that:
>
> - You can choose to use public key files to authenticate with the
> server. Which means the only place that the passphrase (for the private
> key) is needed is on the client. The server only sees the public key
> (added to the user's authorized_keys folder). Using key pairs for SSH
> access to servers prevents you from being vulnerable to dictionary
> attacks on your SSH port (kind of difficult to brute force a 1024 or
> 2048 bit key).
>
> - You can limit what a particular key pair can do by prefixing the line
> in authorized_keys with: command="svnserve -t" -- So even if someone
> swipes the private key along with the passphrase used to protect the
> private key file, they can still only perform SVN operations on your
> repository. That key pair doesn't grant them command-line access on
> your repository server.
>
> - SSH is easily tunneled over NAT/firewalls. It's strong encryption and
> well regarded.
>
> Apache and HTTPS are also a good solution, but not something that I've
> configured yet. Apache very flexible (you could tie into other
> authentication schemes like AD or LDAP).
>
>> - I would prefer to have everything on a Windows 2003 server. Is this
>> possible?
>
> Maybe... you'll either be using Apache+HTTPS or copSSH (which I haven't
> used). We preferred to run SVN on top of Linux where we could take
> advantage of Linux stability, OpenSSH's strengths, and running the SVN
> server inside a Xen DomU (virtualization).
Cygwin does include openSSH, so that might be another possibility. (I
use it regularly for my svn client, but I don't run a server on Linux.
However, I did just run a quick test, and it worked.)
Duncan Murdoch
>
>> - I would like to have a tight security:
>> * I need to be able to define which user can commit to which project.
>> * Some projects should be absolutely hidden: the existence of it should
>> be unknown for some programmers.
>
> I suspect you'll only get this feature if you have separate repositories
> for those projects.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 1 12:13:16 2006