[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: David Weintraub <qazwart_at_gmail.com>
Date: Tue, 26 Aug 2008 11:54:07 -0400

On Mon, Aug 25, 2008 at 2:16 PM, John Peacock
<john.peacock_at_havurah-software.org> wrote:
>
> I'm sorry but you are mistaken. It is definitely possible to set up
> svn+ssh:// to use a single account to access the repository, and yet have
> each users public key perform both authentication and authorization. This
> has no impact on whether the users also need shell access, nor does it in
> any way allow the users to access the repo via file:// if they do have a
> shell account.
>
> See Trick #4 for details:
>
> http://svn.collab.net/repos/svn/trunk/notes/ssh-tricks

I'm a bit confused by the directions: Earlier in the Subversion book
it states that using the "-t" option:

A third way to invoke svnserve is in "tunnel mode", with the -t
option. This mode assumes that a remote-service program such as RSH or
SSH has successfully authenticated a user and is now invoking a
private svnserve process as that user.

So, using ssh+svn:// (without the configuration tricks) invoke the
svnserve command as that user. And, the -t command runs svnserve as
that user.

But later on, it states:

command="svnserve -t --tunnel-user=sally" TYPE2 KEY2 sally_at_example.com

This example allows both Harry and Sally to connect to the same
account via public-key authentication. Each of them has a custom
command that will be executed; the --tunnel-user option tells svnserve
-t to assume that the named argument is the authenticated user.
Without --tunnel-user, it would appear as though all commits were
coming from the one shared system account.

So, what specifies the user who executes the svnserve command?

If you're using this method, I take it you're no longer using the
operating system's method of user authentication. Instead, you need to
gather the public ssh key for each user. Is that correct? 

--
David Weintraub
qazwart_at_gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-26 17:54:33 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.