On Fri, Jul 30, 2010 at 01:57:53AM +0200, Nils Wilhelm wrote:
> Hi there,
>
> this is in addition to my last post:
>
> If i use
> - svn:// protocol everything will be sent in plain text so this will
> have security issues -> not usable for me
> - svn+ssh:// protocol i need an account on the server for every
> person for two reasons: The authentication using ssh and to manage
> the file permissions of the repository. This could be avoided using
> certificates as i read in a howto. But this wouldn't integrate LDAP
> - https: protocal using an apache webserver i enable everybody to
> browse the repository using a webbrowser. Is that correct? Could
> this be avoided?
>
> Does anybody see any alternatives to the three mentioned? Or a way
> to avoid the mentioned cons?
See http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
for instructions on how to prevent giving shell access to users
using svn via ssh.
You can also use a single 'svn' user for all svn-related ssh connections.
Again, see the above link for details.
In any case, make sure to use an svnserve wrapper that sets the proper umask:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.multimethod.html
As for ldap with ssh, I'm not sure. It should be possible to do this
by making ssh delegate authentication to pam, and to ldap from there.
But don't ask me for details, I've never really understood pam.
Stefan
Received on 2010-07-30 02:18:39 CEST