[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: access svn securely from the internet via sasl or ssh

From: Boris Möller <bobdole1_at_web.de>
Date: Sat, 20 Dec 2008 19:01:08 +0100

Am Freitag 19 Dezember 2008 23:42:04 schrieb Alec Kloss:
> On 2008-12-19 13:08, Paul Koning wrote:
> > >>>>> "Bob" == Bob Archer <Bob.Archer_at_amsi.com> writes:
> >
> > Bob> Understood... but I am going by what the OP email said. And I
> > Bob> may misunderstand what he means. But... from what I gather...
Yeah, exactly.
> >
> > That requires setting up the server end so svnserve can run through an
> > SSH tunne, but regular interactive access is denied. That's easy.
> > Assign the users to a "shell" which is a script that refuses to let in
> > anything other than svnserve. Something like this:
Well, actually I would like to have the option to use /bin/bash via ssh. (Actually the users use it for scp only currently.)

> >
> > # cat /usr/local/bin/svnonly.sh
> > #!/bin/bash
> > if [ "$*" = "-c svnserve -t" ]; then
> > svnserve -t
> > exit $?
> > fi
> > while true; do
> > date; sleep 600;
> > done;
> Alternately, you can use sudo prior to running svnserve on the server
> with SVN+SSH. You allow people to run the real svnserve binary using
> a script like this:

Actually the server has only one user (meant as replacement for root) who is allowed to do sudo. But maybe I could just make a user "svn" with svnserve having setuid to "svn".
> #!/bin/sh
> #
> SVNSERVE=$(dirname $(realpath $0))/svnserve.bin
> if [ -z "$SUDO_USER" ] ; then
> exec sudo "$0" "$@"
> fi
> exec $SVNSERVE "--tunnel-user=$SUDO_USER" "--root=/repos" "$@"

> Also, plain svn protocol is at as secure as https if you're using a
> SASL mechanism that uses AES-256 encryption.
Ok, so would it be sufficient to _only_ add
use-sasl = true
min-encryption = 256
max-encryption = 256
to the svnserve.conf? Or would I have to do all this extra stuff with say
 pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: /etc/my_sasldb
 mech_list: DIGEST-MD5

My current picture is that adding only these first three lines just encrypts the traffics. But it doesn't encrypt the password. (Although it seems that the password is already encrypted using a simple algorithm even if everything is turned off. It's not transfered as plain text.)

By the way, maybe I am just too paranoid. IIRC Git and Bazaar also allow direct access to the filesystem... ;-)

Psssst! Schon vom neuen WEB.DE MultiMessenger gehört?
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-01-30 17:38:11 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.