[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to configure Apache2+SVN+PAM

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Sat, 29 Aug 2009 10:44:01 -0400

On Fri, Aug 28, 2009 at 1:58 PM, Alexandre Moraes<alexmoraes_at_gmail.com> wrote:
> Hi,
> I´m looking through the web but it´s hard to find how to configure
> PAM+Apache2+Svn.

[ Yes, I rant about this. Yes, I am a broken record, but it needs
repeating for new users. ]

*DON'T*. Seriously. Unless you can assure that your clients are not
going to use the default subversion clients, which store passwords in
cleartext by default, any such service is a serious security pitfall.
Subversion 1.6.x imporoved the situation somewhat with the change to
ask the client before storing the passwords that way, but that should
have *NEVER* been the default behavior of the client: it's led to a
host of truly awful security practices, especially in environments
(such as you are describing) where the user's normal login password
would be used for subversion HTTPS access.

There are clients that do not do this, and that implement considerably
more secure wallets, but unless you actually delete the binary or
deliberately edit svn source code to disable password handling (which
I've done in the past!), you can't prevent arbitrary clients from
discarding any pretense of site security.

Use HTTP access only for anonymous, unauthorized site-wide access. Use
HTTPS only for SSL key access, not password access, especially do not
use it for passwords based on your normal login passwords. And use
svn+ssh with public key management to provide protected access, unless
you want those passwords published in the readable
$HOME/.subversion/auth/ directory of every UNIX or Linux client.

Now, with all that ranting over:

If you have your heart set on this, it works well in RHEL 5 and recent
Fedora versions with the built-in httpd, mod_dav_svn, and some merging
from the kerberos configuguration utilities in /etc/httpd/conf.d/ into
the subversion.conf file there. What OS are you working with, which
Subversion and which 'Apache2'?


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-29 16:44:57 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.