Re: access svn securely from the internet via sasl or ssh

On 2008-12-19 13:08, Paul Koning wrote:
> >>>>> "Bob" == Bob Archer <Bob.Archer_at_amsi.com> writes:
>
> Bob> Understood... but I am going by what the OP email said. And I
> Bob> may misunderstand what he means. But... from what I gather...
>
> Bob> He wants the user to have rw access to the repository via the
> Bob> svn client but does NOT want him to have rw file system access
> Bob> to the repository folder.
>
> Oops, I missed that.
>
> That requires setting up the server end so svnserve can run through an
> SSH tunne, but regular interactive access is denied. That's easy.
> Assign the users to a "shell" which is a script that refuses to let in
> anything other than svnserve. Something like this:
>
> # cat /usr/local/bin/svnonly.sh
> #!/bin/bash
> if [ "$*" = "-c svnserve -t" ]; then
> svnserve -t
> exit $?
> fi
> while true; do
> date; sleep 600;
> done;
>

Alternately, you can use sudo prior to running svnserve on the server
with SVN+SSH. You allow people to run the real svnserve binary using
a script like this:

#!/bin/sh
#

SVNSERVE=$(dirname $(realpath $0))/svnserve.bin

if [ -z "$SUDO_USER" ] ; then
        exec sudo "$0" "$@"
fi
exec $SVNSERVE "--tunnel-user=$SUDO_USER" "--root=/repos" "$@"

Also, plain svn protocol is at as secure as https if you're using a
SASL mechanism that uses AES-256 encryption.

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987871
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].