subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@elego.de>
Subject Re: svnserv + ssh + ldap
Date Fri, 30 Jul 2010 22:50:21 GMT
On Fri, Jul 30, 2010 at 05:51:42PM -0400, Nico Kadel-Garcia wrote:
> It's the integration of LDAP authentication the interferes
> with restricting the ssh+svn access to strictly ssh+svn, and allows
> access to the filesystem of the Subversion server via ssh, scp, and
> possibly sftp.

I see. Well, if you cannot use key-login with that, then you can't restrict
users by using the 'command' directive in authorized keys files.
Maybe one could use a custom login shell that only allow execution of
certain commands, such as svnserve? A bit ugly, but this approach is used
with e.g. anoncvs on OpenBSD systems: www.openbsd.org/anoncvs.shar

I still object to your claim that this was Subversion's fault
because "Security infrastructure is not Subversion's strong point."
That's just FUD.
If OpenSSH supported key-based login based on public key credentials
stored in LDAP, this would not be an issue.

Stefan

Mime
View raw message