Re: svnserv + ssh + ldap

From: Stefan Sperling <stsp_at_elego.de>
Date: Sat, 31 Jul 2010 00:50:21 +0200

On Fri, Jul 30, 2010 at 05:51:42PM -0400, Nico Kadel-Garcia wrote:
> It's the integration of LDAP authentication the interferes
> with restricting the ssh+svn access to strictly ssh+svn, and allows
> access to the filesystem of the Subversion server via ssh, scp, and
> possibly sftp.

I see. Well, if you cannot use key-login with that, then you can't restrict
users by using the 'command' directive in authorized keys files.
Maybe one could use a custom login shell that only allow execution of
certain commands, such as svnserve? A bit ugly, but this approach is used
with e.g. anoncvs on OpenBSD systems: www.openbsd.org/anoncvs.shar

I still object to your claim that this was Subversion's fault
because "Security infrastructure is not Subversion's strong point."
That's just FUD.
If OpenSSH supported key-based login based on public key credentials
stored in LDAP, this would not be an issue.

Stefan
Received on 2010-07-31 00:51:13 CEST

This message: [ Message body ]
Next message: Daniel Shahaf: "Re: Recovering repository with multiple missing rev/ files"
Previous message: Stefan Sperling: "Re: Recovering repository with multiple missing rev/ files"
In reply to: Nico Kadel-Garcia: "Re: svnserv + ssh + ldap"
Next in thread: Nico Kadel-Garcia: "Re: svnserv + ssh + ldap"
Reply: Nico Kadel-Garcia: "Re: svnserv + ssh + ldap"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]