[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to choose between svn & http?

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: 8 Jul 2010 21:31:27 -0500

On 2010-07-08 17:04, David Brodbeck wrote:
>
> On Jul 8, 2010, at 4:49 PM, Nico Kadel-Garcia wrote:
> > A local comparison is often best, especially when operating over HTTPS
> > or svn+ssh for security reasons: Because of the continuing storage of
> > HTTP/HTTPS/svn/SSH passwords in clear-text by the UNIX or Linux
> > versions of Subversion, I don't trust anything but the svn+ssh public
> > key based access for public use. Unfortunately, this does cause a
> > noticeable performance hit.
>
> It's worth pointing out that the private key has to have a passphrase, for this to be a security improvement. Otherwise all you've accomplished is to leave the password-equivalent in ~/.ssh instead of in ~/.svn. ;) I mention this only because a lot of the applications for SSH public keys involve passwordless login.
>
[chop]

I feel a little like a broken record, but...

using GSSAPI (or Negotiate for HTTPS) substantially reduces the security
issues by integrating authentication into the rest of a managed
single-sign-on system. GSSAPI/Negotiate also has the feature of working
in all four remote access protocols for Subversion. The downside is
difficulty in configuration and poor support in some (or many or perhaps
all) binary distributions of Subversion. I have to admit, I don't think
very highly of ssh public-key authentication; I have a hard time
believing very many users or administrators carefully protect, rotate,
and revoke RSA keys in a timely manner, which seems to me to
substantially reduce the security of ssh public-key "infrastructure".

--
Alec.Kloss_at_oracle.com			Oracle Middleware
The views expressed are my own and do not necessarily 
reflect the views of Oracle
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

  • application/pgp-signature attachment: stored
Received on 2010-07-09 04:32:30 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.