[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: disable security hole in svn+ssh?

From: Geoff Hoffman <ghoffman_at_cardinalpath.com>
Date: Thu, 28 Jul 2011 07:48:34 -0700

On Thu, Jul 28, 2011 at 7:29 AM, Andy Canfield <andy.canfield_at_pimco.mobi>wrote:
<snip>

> Hold it right there. You're providing password based repository access
>> via HTTP, not HTTPS? Please rethink this unless you *want* the
>> passwords for this repository to be quite insecure and sniffable,
>> especially if you're using normal user login passwords.
>>
> If HTTP sends passwords in as plain text then yes, HTTPS is better. But I
> can't get HTTPS to work at all. I get the impression from googling that
> HTTPS requires a certificate, and I don't have a certificate. If I could
> generate my own certificate, we could tell our developers "Accept this
> certificate the first time you see it, and after that it will work every
> time."
>
</snip>
<snip>

> So there are actually four protocols that a workstation can use to access a
> Subversion repository: http, https, svn:, and svn+ssh. Assuming that I pick
> one, how do I turn the others off? If James Bond can access via https, how
> can we prevent him from using http and blowing the security? iIf James Bond
> has an ssh login account on the server, but should not be using Subversion
> at all, how do we prevent him from using svn+ssh:? How do we prevent him
> from logging in and using file:? How do we prevent him from logging in and
> running svnadmin?
>
</snip>

Wow Andy, you have really put SVN security through the ringer and bring up
some really good points. We're hosting svn behind our firewall on http and
so our users have to have a VPN to connect. This of course requires a
certain type of security appliance (several hundred bucks at a minimum.)

Some of our users have ssh login on the same box running svn but I never
thought to secure svnadmin or prevent svn+ssh so I never really thought
about it at the level you are doing. You can chroot users [2] into their
home dir if you go with svn+ssh... Matt's suggestion to generate ssh keys
for everyone is a good idea also (as well as making it simpler to connect in
a development workflow)

I would think https would be your best bet; you can make a self signed
certificate[1] but even an actual SSL isn't that hard to install and only
$20/yr from GoDaddy, for example. You can then detect http protocol with a
rewrite rule and redirect to https using mod_rewrite in either the vhost
container or .htaccess file.

Have you thought of getting some paid help from, e.g., CollabNet [3]? Maybe
well worth it in your case. (Case STUDY more like it!)

[1]
https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html
[2] https://help.ubuntu.com/community/BasicChroot
[3] http://www.open.collab.net/consulting/
Received on 2011-07-28 16:49:09 CEST

This is an archived mail posted to the Subversion Users mailing list.