[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Push ?

From: Dan White <d_e_white_at_icloud.com>
Date: Mon, 16 Sep 2013 19:53:43 +0000 (GMT)

The described solution is one we already use within our network space, but Security will not allow a connection from DMZ to the internal SVN server. It violates the whole purpose of having a DMZ in the first place. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) On Sep 16, 2013, at 12:19 PM, Thomas Harold <thomas-lists_at_nybeta.com> wrote: > On 9/15/2013 11:32 AM, Dan White wrote: >> The issue is that the client end of the transaction is in a DMZ >> A connection from a DMZ to one’s internal network is a very high >> security risk. What I was hoping for was a way to define a very >> specific connection from the Subversion server to the DMZ client >> (push). This is considered to be a much lower security risk. > > One way to handle this is to use SSH to access the specific SVN repository. > > 1. Use no-password SSH public-key pair that the DMZ host can punch > through to the SSH port on the internal SVN server. (Naturally, SSH > should be set to dis-allow root login, and only allow public-key > authentication.) > > - If you can't change everyone over to using public keys and disabling > password based authentication for SSH, then you should run a 2nd SSHD > process on a different port and have that only allow specific accounts > to login and require public-key authentication. Then you can setup your > DMZ -> SVN server firewall to only allow access to the SVN SSH alternate > port from the DMZ. > > 2. Give the SSH account read-only access to the SVN repo that it needs > > 3. Lock down what the SSH account can do to just: > > command="/usr/bin/svnserve -t -r > /var/svn",no-agent-forwarding,no-pty,no-port-forwarding,no-X11-forwarding ssh-rsa > ... > > Since the account will have very limited permissions on the SVN machine > (read-only access), there's not a whole lot that someone could do with > the account. Plus the use of the command= line means they'd have to > figure out a way to escape the svnserve program in order to get a > command-line on the SVN machine.
Received on 2013-09-16 21:54:27 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.