[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: disable security hole in svn+ssh?

From: Matthew Beals <mjbeals_at_mtu.edu>
Date: Thu, 28 Jul 2011 10:44:47 -0400 (EDT)

> That "svn" user can be set to have no valid shell, with its shell set
> to something like "/sbin/nologin". This is actually quite common for
> system services to have no valid shell. This is how the "apache" or
> "www-data" user is usually set up.
But that would prevent login using ssh, which I don't want. I can tell
the sysadmin "we need an SSH login for Charlie so he can use
Subversion", but I cannot say "You have to cut the SSH login for Marilyn
so she can't use Subversion".

*Truncated for clarity*
One option would be to generate a different (password enabled... of course) key for each unique user (all logging in with the same SVN user name). Then revoking SVN access is as simple as removing that user's key from the authorized_keys list.

----------------------------------------
Matthew Beals
Michigan Technological University
Department of Atmospheric Sciences
1400 Townsend Drive
B019a Fisher Hall
Houghton, MI 49931
mjbeals_at_mtu.edu
Received on 2011-07-28 16:45:20 CEST

This is an archived mail posted to the Subversion Users mailing list.