Re: Secure svnserve?

On Fri, Nov 25, 2016 at 11:11:15AM +0100, Olaf van der Spek wrote:
> Hi,
>
> Currently I'm running svnserve on a Debian VM on my PC. I'd like to
> move it to a server on the internet but I don't get how to do this
> securely.
> Svnserve doesn't support encryption, right, so I can't expose it on a
> public port directly.
> I'm aware of Subversion via Apache but I don't run Apache and I don't
> want to give the entire web server access to repos anyway.

I would recommend svn+ssh:// with SSH keys.

> I also don't want to give each SVN user a shell account..

Multiple users can share a single account with svn+ssh:// without
shell access, provided SSH keys are used for authentication.

> What's the proper way to do this?

See here:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks

> Wouldn't it be good if svnserve supported encryption directly?

svnserve does support encryption directly, but not with TLS.
Instead, it uses SASL for this purpose. See here:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl

There is an open issue in our bug database about adding TLS support to
svnserve. But nobody has worked on it in years. So perhaps there isn't a
real demand after all, because the existing solutions are good enough?

The reality is that until someone steps up and does the serious work
involved in making TLS happen for svnserve, there won't be any TLS
support for svnserve. If you need TLS today, just use Apache HTTPD.

I hope one of the above tradeoffs will suit you and that you will
get your server running with an acceptable and secure setup.
Received on 2016-11-25 11:33:07 CET