[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.6 on Ubuntu Server 11.x

From: Geoff Hoffman <ghoffman_at_cardinalpath.com>
Date: Sat, 11 Jun 2011 09:57:33 -0700

On Sat, Jun 11, 2011 at 8:27 AM, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:

> On Fri, Jun 10, 2011 at 6:26 PM, Geoff Hoffman
> <ghoffman_at_cardinalpath.com> wrote:
> > I posted about this on the Ubuntu forums but thus far nobody has replied.
> > When SSH'd into the box and using svn operations, I'm getting the
> dastardly
> > warning about my password is going to get stored to disk unencrypted.
> > I read about Subversion 1.6 security changes.
> > I read about Subversion 1.6 on Ubuntu Server over at superuser.com.
> > I read about gnome-keyring over at stackoverflow.
> > I've been doing a lot of reading on it.
> > I have done the following:
> > * installed gnome-keyring
> > *edited my ~/.subversion/config to turn
> > password-stores = gnome-keyring
> > edited my ~/.subversion/servers to
> > store-passwords = yes
> > store-plaintext-passwords = no
> > Thing is, I'm not using any GUI so it's still not working. Should I try
> > encfs ?
> > I read another post about a tool from CollabNet called keyring_tool but I
> > don't have it on this system. Where do I get that? I've never run into
> these
> > issues before (new distro, new svn version).
> > Any additional insight would be very much appreciated.
>
> I have *never* gotten the gnome keyrings working well with Subversion.
> I'm afraid there are a lot of subtly distinct implementations of the
> necessary toolchain out therem abd the lot of them tend to be pretty
> fragile.
>
>
Hmm.

> Frankly, I find it more effective, and safer, to use SSH keys and a
> key agent as necessary, with a key specifically dedicated to the SVN
> access. This can be mandated with "SVN_SSH='ssh -l username -i
> keyname'" to avoid using other keys.
>

I don't mind doing this, but is this something that goes in .bash_profile?

And would I then use svn+ssh://localhost/svn/repo/etc
instead of http://localhost/svn/repo/etc?

> The stored SSH public keys on the remote server can even be set to
> restrict access to only svnserve tunneling, even to read-only access.
> Coupled with the kind of single svn user account setup described in
> passing in the "Red Book", it's a better security model than giving
> all SVN clients shell access to the server.
>
Received on 2011-06-11 18:58:13 CEST

This is an archived mail posted to the Subversion Users mailing list.