[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserv + ssh + ldap

From: Stefan Sperling <stsp_at_elego.de>
Date: Sat, 31 Jul 2010 00:50:21 +0200

On Fri, Jul 30, 2010 at 05:51:42PM -0400, Nico Kadel-Garcia wrote:
> It's the integration of LDAP authentication the interferes
> with restricting the ssh+svn access to strictly ssh+svn, and allows
> access to the filesystem of the Subversion server via ssh, scp, and
> possibly sftp.

I see. Well, if you cannot use key-login with that, then you can't restrict
users by using the 'command' directive in authorized keys files.
Maybe one could use a custom login shell that only allow execution of
certain commands, such as svnserve? A bit ugly, but this approach is used
with e.g. anoncvs on OpenBSD systems: www.openbsd.org/anoncvs.shar

I still object to your claim that this was Subversion's fault
because "Security infrastructure is not Subversion's strong point."
That's just FUD.
If OpenSSH supported key-based login based on public key credentials
stored in LDAP, this would not be an issue.

Stefan
Received on 2010-07-31 00:51:13 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.