[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

(no subject)

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Thu, 9 Feb 2012 02:09:27 -0500

On Thu, Feb 9, 2012 at 1:59 AM, <d.guthmann_at_gmx.net> wrote:
> Hello,
> we run a subversion-server with apache and access it through https. Now we want to grant also external developers access to our repositories.
> As subversion-client we use subclipse via JavaHL under Windows. The https-Port on the server is not reachable from any external network.
> I've now found the subversion-feature "svn+ssh" and I would like to use it as a tunnel from those external developers computer.
> So the URL would be "svn+ssh://user@hostname:220/srv/svn/project/" - normally we use the URL "https://hostname/repos/projekt/"
> Would it work properly (e.g. executing hooks) or is it a problem to access one repository in two different ways? The URL "svn+ssh://user@hostname:220/srv/svn/projekt/" suggests that we are bypassing the svn-Module...

As somone who strongly encourages the use of svn+ssh for security
reasons, I can tell you there are security model differences. The
ownership of the repository for Apache access is usually "apache". The
ownership for svn+ssh, or svn, is usually a designated user such as
"svn", so you have to make sure the repository is accessible to
read/write for both users, *or* switch entirely to svn+ssh for write
access, or do somethng complicated. There are complicated ways to do
this, but I don't recomend them.

You'll also need to rethink your password handling or key access
model. Since the svn+ssh access works best with SSH keys designed to
force the "svnserve" command with a hardcoded user name, you'll need
a method to handle the SSH keys, both to add them and to expire them
as needed.

The Subversion "red book" is actually quite good about explaining
this: it doesn't go into as much detail about supporting multiple
access methods as you might like.

> We also use some access-control features like "AuthzSVNAccessFile" in the Apache-configuration - am I right assuming that those access-control doesn't take effect when accessing over svn+ssh://?

I'm afraid not. You'll need to use some of the more Subversion
internal systems, such as pre-commit.

> Thanks in Advance.
> Rgds.
> Dieter
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Received on 2012-02-09 08:10:27 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.