On Mon, Sep 7, 2009 at 12:02 PM, Les Mikesell <lesmikesell_at_gmail.com> wrote:
> Nico Kadel-Garcia wrote:
>>
>> On Sun, Sep 6, 2009 at 12:19 PM, Les Mikesell <lesmikesell_at_gmail.com>
>> wrote:
>>>
>>> Nico Kadel-Garcia wrote:
>>>>>
>>>>> * Have you ever tried to teach a newbie (possibly quite talented, but
>>>>
>>>> nevertheless a newbie) to configure customized Kerberos setups? I
>>>> have. It wasn't pretty.
>>>
>>> Are there similar issues using https and a client certificate
>>> requirement?
>>
>> The last time I tried that sort of thing, there was effort, but it
>> wasn't as bad. Organizing the server side to manage the sertificates
>> and synchronize access for each client to the same repository but with
>> a different key was...... fascinating. I basically wrote a little
>> script to survey the key list and genarate alias configurations for
>> each user with a different URL to the same material. Workable, but it
>> wouldn't necessarily scale well.
>
> Can't you configure apache to trust a certificate authority, not individual
> certificates, and then use something like tinyca to generate (and revoke if
> necessary) the certificates? You still need passwords, but they are
> ssl-encrypted on the wire and you can't get in without both the password and
> certificate.
*Interesting*. I like it! How do you store the unlocked key this way
for your active TortoiseSVN or command line svn clients, to avoid
having to repeatedly type it in. You still have to do something about
giving different users slightly different access to the same material
in order to set the 'user' for logging, and I don't see how to do it
with this approach unless you repeat my approach and set slightly
different repository paths for different SSL keys.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2392349
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-08 14:21:18 CEST