[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: MOD_DAV_SVN + SVNSERVE_WRAPPER + file system rights

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Sat, 23 Nov 2013 09:24:08 -0500

svn+ssh relies on SSH being directly available, by default port 22.
SSH, by default, allows direct user logins with shell access, by
password or by SSH key. That raises serious security concerns. The
safest way to run svn+ssh is usually with a separate SSH daemon, on
another port, configured to only allow SSH key based access as the
designated SSH repository owner, and with the "ForceCommand" option
used for SSH keys to enforce access to the designated Subversion
repositories. The result is that a lot of casually configured svn+ssh
sites have opened themselves wide to remote shell access, and in many
groups, allowing that needs some kind of sign-off from the security
group, which they're unlikely to give if they can say "why not ust use
web access???"

Doing all that takes work: there is still no good GUI or automatic key
setup tool for any of those steps. And as someone who prefers to use
svn+ssh for security reasons, I admit that it's a pain in the keister
to set up correctly the first time. I still prefer svn+ssh because the
Linux and UNIX clients don't save passwords in clear text, and the
integration of SSH key passphrase management with the Gnome and KDE
wallet applications has gotten pretty good.

On Fri, Nov 22, 2013 at 6:07 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> sbremal_at_hotmail.com wrote on Thu, Nov 21, 2013 at 18:37:21 +0000:
>> I am very happy with the SSH + 'svnserve' access to my repositories,
>> however due to firewall issues I need access through HTTP as well.
>> What I do not want is to set up a 2nd authentication / authorization
>> database.
>
> What are the "firewall issues", exactly? Why can't you use svn+ssh?
> Can you run sshd on port 80 (which would allow you to use svn+ssh
> without httpd at all)?
>
> Daniel
Received on 2013-11-23 15:24:51 CET

This is an archived mail posted to the Subversion Users mailing list.