RE: [Eric] Envisioning next Eric (5) Report

[Pietro Moras]

Well, dear
Rui,
  Frankly I
intended this call the other way round. I mean:  it's me that I'd
like to be included in your “care-list”. 
So to receive your
suggestions, comments, remarks and criticisms about the Tech.Reports
I'll produce. Preferably here, in public, than privately. So to
possibly solicit valid contributions from other sources too. 
Take,
for instance, the current “E5-TR Specimen”, at URL: 
https://www.box.com/shared/k64yenrpey#/s/k64yenrpey/1/339019384

Your
thoughts? Thanks. - P.M. From: rui.narc...@airbus.com
To: studio...@hotmail.com
Date: Fri, 27 Jul 2012 19:59:04 +0200
Subject: RE: [Eric] Envisioning next Eric (5) Report
HiPlease include me in any distribution list you create on this 
subject;CheersRui 

Re: svnserve authentication using sasl + pam + winbind

[Nico Kadel-Garcia]

On Fri, Jul 27, 2012 at 8:23 AM, Matthias Weißer  wrote:
> Hi
>
> is it possible to authenticate users from a Windows active directory to a
> svnserve daemon? From what I have seen when googeling around was that most
> of the time the apache module is used when more complex authentication is
> needed. I would like to avoid the need for an apache on our internal server.

Does your server support SSH? Then you can use svn+ssh, which has some
big security advantages over HTTPS/WebDAV. One big advantage is that
it helps prevent the following combination for HTTPS access.

* HTTPS server uses normal user authentication, especially local
accounts or Kerberos authentication (which works well with Active
Directory, I must admit).
* Linux or UNIX client does not use optional, only supported with
recent Subversion versions, kwallet or gnome-wallet to manage their
authentication keys.
* Linux or UNIX client winds up storing passwords in
$HOME/.subversion/ in plain text. Heck, for RHEL 4, which is still in
industrial user, it has Subversion 1.1.4 which doesn't even *ask*
before it stores the password in plain text.
* Local network weasels read your plain text account and password for
*every system you authenticat to with Subversion*. In an environment
with NFS and and attitude of "we trust the people we work with" and
"we have a firewall to keep people out", it only takes one rootkitted
laptop to own your local network.

The svn+ssh approach works very well as a technology: what it's
missing is a published graceful toolkit to manage the SSH keys.

> Current situation:
> Ubuntu 12.04 LTS
> Winbind for domain user authentication on the Linux box
> svnserve using simple authentication via authz/passwd files

Can you use SSH key based access? I've actually asked several
integration companies in the last year if they could integrate
Subversion with Kerberos ticket based authentication, and they've not
taken up the project. (Dang!)

> Goal:
> Having only the authz file left with the permissions of the single users to
> the repos. The authentication should be done using the user database from
> the windows domain controller.
>
> I think SASL + PAM + WINBIND is the way to go. Before I get lost in a lot of
> documentation on the internet:
>
> Has someone done something like this before? Any hints?
>
> Thanks
> Matthias

It sounds reasonable. I'll be very curious about your results.