[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserv + ssh + ldap

From: Andy Levy <andy.levy_at_gmail.com>
Date: Fri, 30 Jul 2010 08:45:53 -0400

On Fri, Jul 30, 2010 at 07:56, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
> On Thu, Jul 29, 2010 at 8:51 AM, Nils Wilhelm <murphy_at_planet-of-art.de> wrote:
>> Hi there,
>>
>> i need your help getting an overview and configuring a subversion server.
>> What i have to do is setting up a subversion server using ldap and ssh.
>> After reading some theory about it i'm totally confused :-) So i hope you
>> can help me with that.
>>
>> What i have: A suse server with a working ssh connection, nothing else, i.e.
>> all other ports are closed.
>>
>> What my boss wants: The server should be accessed using ssh because of
>> security issues and the authentication (for subversion) should be managed by
>> ldap (other apps will use lpad either). Svnserv should be used instead of a
>> apache webserver extension. Round about 20 persons should have access to
>> subversion but should not be able to open a ssh shell connection to the
>> server. Is that possible? I hope anybody can give me an overview.
>>
>> Best regards
>>
>> Nils
>
> Don't use LDAP. One problem is that it will allow multiple users
> filesystem access to the Subversion repository, and *SOMEONE* is
> likely to screw it up for everyone else by trying to manually edit
> something in the repository in a large environment with multiple
> developers. Also, remember that the UNIX and Linux clients will save
> passwords in clear text by default in the user's home directory. That
> makes your LDAP passwords vulnerable to anyone who can access home
> directories or backup tapes. This is a longstanding vulnerability, and
> there is no fix. (Subversion 1.6 does warn you before saving them,
> which is polite, but will still save them, which is bad.)

This is not entirely accurate. As of Subversion 1.6, *NIX clients can
use GNOME Keyring or KDE Wallet to safely store passwords.
http://blogs.open.collab.net/svn/2009/07/subversion-16-security-improvements.html
Received on 2010-07-30 14:46:51 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.