Nico Kadel-Garcia wrote:
>>>> Nico Kadel-Garcia wrote:
>>>>>> * Have you ever tried to teach a newbie (possibly quite talented, but
>>>>> nevertheless a newbie) to configure customized Kerberos setups? I
>>>>> have. It wasn't pretty.
>>>> Are there similar issues using https and a client certificate
>>> The last time I tried that sort of thing, there was effort, but it
>>> wasn't as bad. Organizing the server side to manage the sertificates
>>> and synchronize access for each client to the same repository but with
>>> a different key was...... fascinating. I basically wrote a little
>>> script to survey the key list and genarate alias configurations for
>>> each user with a different URL to the same material. Workable, but it
>>> wouldn't necessarily scale well.
>> Can't you configure apache to trust a certificate authority, not individual
>> certificates, and then use something like tinyca to generate (and revoke if
>> necessary) the certificates? You still need passwords, but they are
>> ssl-encrypted on the wire and you can't get in without both the password and
> *Interesting*. I like it! How do you store the unlocked key this way
> for your active TortoiseSVN or command line svn clients, to avoid
> having to repeatedly type it in. You still have to do something about
> giving different users slightly different access to the same material
> in order to set the 'user' for logging, and I don't see how to do it
> with this approach unless you repeat my approach and set slightly
> different repository paths for different SSL keys.
They just use their own login/password to establish who they are so either
apache or svn path based access control should work and logging works as you
would expect. They just can't get in at all unless they have a certificate from
the trusted authority that hasn't been revoked. I haven't used this scheme
myself but I believe another part of my company does - probably using Novell's
certificate management to mesh with their Notes ids. I assume that anything
capable of doing https these days can handle client certificates - including
whatever libraries the svn clients use.
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-08 15:05:41 CEST