RE: svn and scripted auth

I think you're discussing this in the right place.

If you're new to this, let me make this really simple...
There are basically four ways to access a repository:
        file://
        svn+ssh://
        svn://
        http:// (or https)

The most powerful is apache (http or https). Because it has the ability to control permissions on a per user / per file / per directory basis, and it has the ability to support secure encrypted traffic, passwords, and authentication against LDAP for centralized password management. However, apache is also the most difficult to set up, because there are *so many* choices available to you.

Svnserve (svn://) is very easy to setup, and very fast for a local area network. It does not provide per-file permissions, and does not (as far as I know) have any way to authenticate passwords against ldap or anything like that. The passwd file is a plaintext file that can only be edited by root (or whoever root gives permission to). And although the password is never sent plain-text across the network, it uses weak encryption. But svnserve is a very good protocol despite these shortcomings. It does a very good job of keeping the repository free from corruption, and it's very fast, and easy to set up. ;-)

Svn+ssh, although it's supposed to be good, somehow frequently gave me corruption problems so I don't recommend it. But perhaps there was just a misconfiguration in my environment that should have been fixed. I fixed it by locking down the repo, blocking all users from reaching it, and forcing everyone to use svn:// instead.

File:// should not be used in most situations. It's inviting to corruption, if concurrent users are read/writing things at the same time. I only recommend this if you need a personal repo, or a temporary sandbox to work with.

Hope this helps.

> -----Original Message-----
> From: Florian Ebeling [mailto:florian.ebeling@gmail.com]
> Sent: Tuesday, November 13, 2007 6:13 PM
> To: users@subversion.tigris.org
> Subject: svn and scripted auth
>
> Hi,
>
> i'm thinking about scripting the subversion client, and specifically
> driving an update from a superuser context.
>
> What is not easy to properly understand is how authentication happens
> for different svn server types. For a file:/// server, a simple
> seteguid/seteuid
> is enough. For the http:// and https:// scenarios, I can use the
> --username/--password
> options. How do I go about this in the svn+ssh:// case? Many people use
> a pubkey or ssh-agent setup here. Is there a way to control this
> properly?
> In which cases does svn try to do auth at all (http/https?), and in
> which
> does it entirely rely on the underlying layers (ssh+file?). And is it
> feasible
> in all cases to control this from a sudo context?
>
> Maybe this is really covered somwhere in the documentation, but I can't
> find it in the SVN Book. Is there authoritative disucssion about this
> publickally
> available?
>
> Flo
>
>
> --
> Florian Ebeling
> florian.ebeling@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Nov 14 17:34:47 2007