[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: David Weintraub <qazwart_at_gmail.com>
Date: Tue, 26 Aug 2008 11:54:07 -0400

On Mon, Aug 25, 2008 at 2:16 PM, John Peacock
<john.peacock_at_havurah-software.org> wrote:
> I'm sorry but you are mistaken. It is definitely possible to set up
> svn+ssh:// to use a single account to access the repository, and yet have
> each users public key perform both authentication and authorization. This
> has no impact on whether the users also need shell access, nor does it in
> any way allow the users to access the repo via file:// if they do have a
> shell account.
> See Trick #4 for details:
> http://svn.collab.net/repos/svn/trunk/notes/ssh-tricks

I'm a bit confused by the directions: Earlier in the Subversion book
it states that using the "-t" option:

A third way to invoke svnserve is in "tunnel mode", with the -t
option. This mode assumes that a remote-service program such as RSH or
SSH has successfully authenticated a user and is now invoking a
private svnserve process as that user.

So, using ssh+svn:// (without the configuration tricks) invoke the
svnserve command as that user. And, the -t command runs svnserve as
that user.

But later on, it states:

command="svnserve -t --tunnel-user=sally" TYPE2 KEY2 sally_at_example.com

This example allows both Harry and Sally to connect to the same
account via public-key authentication. Each of them has a custom
command that will be executed; the --tunnel-user option tells svnserve
-t to assume that the named argument is the authenticated user.
Without --tunnel-user, it would appear as though all commits were
coming from the one shared system account.

So, what specifies the user who executes the svnserve command?

If you're using this method, I take it you're no longer using the
operating system's method of user authentication. Instead, you need to
gather the public ssh key for each user. Is that correct?

David Weintraub
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-26 17:54:33 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.