[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dav-svn in multihost environments, but safe

From: Ulf Seltmann <seltmann_at_digitalzone.de>
Date: Mon, 26 Jul 2010 16:46:32 +0200

Am 26.07.2010 13:27, schrieb Nico Kadel-Garcia:
> The svnuser has its password locked and unusable, and it's shell set
> to /sbin/nologin. The SSH clients have their public SSH keys set,
> ideally public keys used for this alone though that's hard to enforce,
> and the keys are used for the svnuser's "authorized_keys" file to run
> the svnserve command with the "--user" option. This is the typical
> syntax, from the Subversion book, with "TYPE1 KEY1" being copied from
> the SSH key for "harry".
> command="svnserve -t
> --tunnel-user=harry",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> TYPE1 KEY1 harry_at_example.com
Ok. thanks for pointing me to the manual. so let me summarize:

1. One ssh-account is needed.
2. via public keys i can identify different users. one keypair is needed
for each user and the public key has to be in the authorized_key file of
the ssh-account
3. i can disable all different task models via authorized_key file but
let the ssh user as it is (for svn unrelated jobs)
4. fine-granulared access-restriction is possible via authz-db

So, this is still a bunch of work, but seems doable

thanks so far

Received on 2010-07-26 16:47:11 CEST

This is an archived mail posted to the Subversion Users mailing list.