Le 08/10/2010 14:54, Andy Levy a écrit :
> On Fri, Oct 8, 2010 at 08:09, Nico Kadel-Garcia<nkadel_at_gmail.com> wrote:
>> Also note: both the 'svn' and 'http' access send the passwords ovder
>> the network in clear text. There are ways around this (such as SSH or
>> SSL tunneling), but they're pesky to set up. Fortunately, "https"
>> already has that built in.
> HTTP Digest Authentication does not send the password in cleartext, it
> sends an MD5 hash. Yes, the hash is sent in cleartext, but that is not
> exactly the same as sending the *password* in cleartext.
>
> If you configure your svnserve to use SASL, it can use several methods
> of encryption for authentication.
> http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl
>
> I understand that you're very concerned with security shortcomings,
> but you're leaving out important details that may make the system
> appear less secure than it really can be with proper configuration.
After all, I think I might consider svn+ssh for large scale svn unix
command line acces.
here's the scenario,
1) I set and manage all repositories with a unique local unix account
(for example username svn !), that account issues all "svn create" and
owns the repos filesystem directories
2) enable the server to resolve ldapusers (pam & nss ldap), so that the
--tunnel-user=ldapusername option (see 3 below) works.
3) then add ldap users public ssh keys to the authorized_keys of that
unique svn manager account as in :
"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX COMMENT"
4) write a script / web GUI that enable users to push their key in the
~svn/.ssh/authorized_key
5) copy a centraly managed authz file in every repos/conf/authz file,
if I understand well svnserve there's no such AuthzSVNAccessFile central
authz directive as in apache DAV svn !?
Does this scenario make sense ?
I agree step 4 will take some time ...
thanks for you remarks .
Received on 2010-10-08 15:53:18 CEST