[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Troubleshooting Gnome keyring

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Thu, 20 Dec 2012 07:46:02 -0500

On Wed, Dec 19, 2012 at 12:25 PM, Mark Phippard <markphip_at_gmail.com> wrote:
> On Tue, Dec 18, 2012 at 10:42 PM, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
>> On Tue, Dec 18, 2012 at 11:09 AM, Mark Phippard <markphip_at_gmail.com> wrote:
>>> On Mon, Dec 17, 2012 at 8:17 PM, Aubrey Barnard <barnard_at_cs.wisc.edu> wrote:
>>>
>>>> I am having trouble getting Subversion to work with the Gnome keyring and
>>>> would like some advice on how to troubleshoot the situation. At this point I
>>>> have tried everything I can find (Google, these archives), so I need to find
>>>> how/where things are failing.
>>>>
>>>> I am using the svn+ssh protocol to access a server within my organization.
>>>> Even with what I understand is the proper configuration, I am still prompted
>>>> for my SSH password and Subversion never mentions a keyring or asks for a
>>>> keyring password. The environment is RHEL 6, so I expected this to work
>>>> out-of-the-box with the default svn. More information is below.
>>>
>>> Subversion does not really do any authentication when you use SSH, so
>>> there are no credentials for it to cache and none of those settings
>>> come into play.
>>>
>>> When you use SSH, the authentication process is managed by your SSH
>>> client. I think most Unix users use something like ssh-agent to
>>> manage their keys and I believe there are flavors of that which
>>> interact with a GUI such as GNOME.
>>
>> But the "gnome-keyring" is supposed to manage this for you with Gnome
>> up and running. Aubry, which Subversion are you using? I've published,
>> SRPM tools at https://github.com/nkadel/subversion-1.6.18-srpm which
>> you may find useful to build a fully equipped Subveriosn 1.6.18,
>> compatible with Red Hat's, but with all the latest features such as
>> gnome-keyring support as much as can be activated with RHEL 5.
>>
>> Alternatively, jump to RHEL 6 or Scientific Linux 6, both of with have
>> better support for such modern tools.
>
> There are integrations between OpenSSH and ssh-agent and GNOME
> keyring, however this has nothing to do with Subversion or the SVN
> binaries you are using. It has to do with your SSH client.
> Subversion just spawns the SSH client and the rest is determined by
> that client.
>
> Subversion's GNOME keyring support applies to Subversion's password
> caching which does not apply when SSH is being used.

You've a point about the distinction, but I thought it was working
well with SSH passphrase requests when I used it last. I don't have a
local Subversion repo to play with. Aubry, can you activate an SSH key
for this and test using the SSH key?

It's not clear which svn+ssh setup our faithful narrator is using. The
security of direct user login with SSH passwords and local SSH
accounts on the Subversion server is.... well, it's a long standing
management problem. The Subversion "Red Book", sadly, only mentions
the correct solution of a designated "svn" user with SSH keys using
the "force-command" option as a kind of afterthought, and the results
are confusing. Because it's mentioned as a complex afterthought,
rather than as the recommended default, life gets confusing.

I am *not* going to get into the reasons why SSH authentication is
preferable to HTTPS here unless asked. I've been very vocal about it
for years, in the Subversion mailing lists.
Received on 2012-12-20 13:46:43 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.