subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Levy <andy.l...@gmail.com>
Subject Re: svnserv + ssh + ldap
Date Fri, 30 Jul 2010 12:45:53 GMT
On Fri, Jul 30, 2010 at 07:56, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
> On Thu, Jul 29, 2010 at 8:51 AM, Nils Wilhelm <murphy@planet-of-art.de> wrote:
>> Hi there,
>>
>> i need your help getting an overview and configuring a subversion server.
>> What i have to do is setting up a subversion server using ldap and ssh.
>> After reading some theory about it i'm totally confused :-) So i hope you
>> can help me with that.
>>
>> What i have: A suse server with a working ssh connection, nothing else, i.e.
>> all other ports are closed.
>>
>> What my boss wants: The server should be accessed using ssh because of
>> security issues and the authentication (for subversion) should be managed by
>> ldap (other apps will use lpad either). Svnserv should be used instead of a
>> apache webserver extension. Round about 20 persons should have access to
>> subversion but should not be able to open a ssh shell connection to the
>> server. Is that possible? I hope anybody can give me an overview.
>>
>> Best regards
>>
>> Nils
>
> Don't use LDAP. One problem is that it will allow multiple users
> filesystem access to the Subversion repository, and *SOMEONE* is
> likely to screw it up for everyone else by trying to manually edit
> something in the repository in a large environment with multiple
> developers. Also, remember that the UNIX and Linux clients will save
> passwords in clear text by default in the user's home directory. That
> makes your LDAP passwords vulnerable to anyone who can access home
> directories or backup tapes. This is a longstanding vulnerability, and
> there is no fix. (Subversion 1.6 does warn you before saving them,
> which is polite, but will still save them, which is bad.)

This is not entirely accurate. As of Subversion 1.6, *NIX clients can
use GNOME Keyring or KDE Wallet to safely store passwords.
http://blogs.open.collab.net/svn/2009/07/subversion-16-security-improvements.html

Mime
View raw message