SVN MFA
Hello Subversion Users Support, Our team is using SVN as a version control tool for source code. We are looking into implementing MFA. Does SVN have built-in MFA capabilities? If so, can you please point me to the documentation? I appreciate any help you can provide. Thanks, Prasanna
Re: SVN MFA
Supporting this from a CLI is next to impossible. I would look at how it is done with Git and see if it is possible to make the SVN CLI directly use the Git Credential Manager: https://github.com/git-ecosystem/git-credential-manager You would then need to work backwards from there to an Apache solution that goes with this. I think this mainly needs setting the WWW-Authenticate header and then accepting a token back for authentication. The Credential Manager will handle the process of authenticating via MFA and getting back the token. On Tue, Apr 22, 2025 at 11:49 AM Peter Balogh wrote: > > Hi, > > Andreas can you please share more about this? > I've been looking for a solution for this for a while, but I only found > hacks like when entering your password, also add your OTP at the end > every time you do an svn operation > Is a modern OTP or Oauth authentication possible with httpd and the svn > clients, that's not inconvenient or weird? > > Best regards, > Peter > > On 2025. 04. 22. 17:29, Andreas Stieger wrote: > > Hello, > > > > On 2025-04-22 16:37, Prasu S wrote: > >> Our team is using SVN as a version control tool for source code. We > >> are looking into implementing MFA. Does SVN have built-in MFA > >> capabilities? If so, can you please point me to the documentation? I > >> appreciate any help you can provide. > > > > > > Apache Subversion (mod_dav_svn) supports all authentication options > > supported by or built for Apache httpd. That includes multi-factor, > > various mobile app authenticators, enterprise SSO and SSL client > > certfs. Start reading there. The point is that it is not built into > > svn but httpd. > > > > Andreas > > > >
Re: SVN MFA
Thanks Andreas for your quick response. Does Apache Subversion support organisation MFA or external MFA? We are using Tortoise SVN to access the repositories. Is it possible to set up MFA through Tortoise SVN? Thanks On Tue, Apr 22, 2025 at 11:29 AM Andreas Stieger wrote: > Hello, > > On 2025-04-22 16:37, Prasu S wrote: > > Our team is using SVN as a version control tool for source code. We > > are looking into implementing MFA. Does SVN have built-in MFA > > capabilities? If so, can you please point me to the documentation? I > > appreciate any help you can provide. > > > Apache Subversion (mod_dav_svn) supports all authentication options > supported by or built for Apache httpd. That includes multi-factor, > various mobile app authenticators, enterprise SSO and SSL client certfs. > Start reading there. The point is that it is not built into svn but httpd. > > Andreas > > >
Re: SVN MFA
Hello, On 2025-04-22 16:37, Prasu S wrote: Our team is using SVN as a version control tool for source code. We are looking into implementing MFA. Does SVN have built-in MFA capabilities? If so, can you please point me to the documentation? I appreciate any help you can provide. Apache Subversion (mod_dav_svn) supports all authentication options supported by or built for Apache httpd. That includes multi-factor, various mobile app authenticators, enterprise SSO and SSL client certfs. Start reading there. The point is that it is not built into svn but httpd. Andreas
Re: SVN MFA
Hi, We're working on contributing a 2FA solution to subversion, if you can share your requirements, we'll try to support it in the future What server are you planning to use? apache or svnserve? What MFA solution would satisfy your requirements? One time passwords, external 2nd factor like Duo or full oauth2 remote authorization? Feel free to share more about your needs here, reach out in private, or let's setup a call I'm happy to sign NDA if we have to, to better understand your needs Best regards, Peter On 2025. 04. 22. 16:37, Prasu S wrote: Hello Subversion Users Support, Our team is using SVN as a version control tool for source code. We are looking into implementing MFA. Does SVN have built-in MFA capabilities? If so, can you please point me to the documentation? I appreciate any help you can provide. Thanks, Prasanna
Re: SVN MFA
Hi, Andreas can you please share more about this? I've been looking for a solution for this for a while, but I only found hacks like when entering your password, also add your OTP at the end every time you do an svn operation Is a modern OTP or Oauth authentication possible with httpd and the svn clients, that's not inconvenient or weird? Best regards, Peter On 2025. 04. 22. 17:29, Andreas Stieger wrote: Hello, On 2025-04-22 16:37, Prasu S wrote: Our team is using SVN as a version control tool for source code. We are looking into implementing MFA. Does SVN have built-in MFA capabilities? If so, can you please point me to the documentation? I appreciate any help you can provide. Apache Subversion (mod_dav_svn) supports all authentication options supported by or built for Apache httpd. That includes multi-factor, various mobile app authenticators, enterprise SSO and SSL client certfs. Start reading there. The point is that it is not built into svn but httpd. Andreas
Re: SVN MFA
Hi, I have rather simple implementation plan, to handle a special response with a 2fa challenge in cli, or by opening a browser window for auth, than storing the session cookie next to usual svn credentials I wrote up my plans in the dev mailing list, I'm happy to further discuss it, before I submit my first implementation For the server side, I'm working out of this doc: https://github.com/itemir/apache_2fa Sharing a secret is a little fishy, but the basic idea is written up correctly Do you think this won't work? I'd love to hear about 2FA systems svn users would like to use, because that might steer my solution to a slightly different direction Best regards, Peter On 2025. 04. 22. 17:56, Mark Phippard wrote: Supporting this from a CLI is next to impossible. I would look at how it is done with Git and see if it is possible to make the SVN CLI directly use the Git Credential Manager: https://github.com/git-ecosystem/git-credential-manager You would then need to work backwards from there to an Apache solution that goes with this. I think this mainly needs setting the WWW-Authenticate header and then accepting a token back for authentication. The Credential Manager will handle the process of authenticating via MFA and getting back the token. On Tue, Apr 22, 2025 at 11:49 AM Peter Balogh wrote: Hi, Andreas can you please share more about this? I've been looking for a solution for this for a while, but I only found hacks like when entering your password, also add your OTP at the end every time you do an svn operation Is a modern OTP or Oauth authentication possible with httpd and the svn clients, that's not inconvenient or weird? Best regards, Peter On 2025. 04. 22. 17:29, Andreas Stieger wrote: Hello, On 2025-04-22 16:37, Prasu S wrote: Our team is using SVN as a version control tool for source code. We are looking into implementing MFA. Does SVN have built-in MFA capabilities? If so, can you please point me to the documentation? I appreciate any help you can provide. Apache Subversion (mod_dav_svn) supports all authentication options supported by or built for Apache httpd. That includes multi-factor, various mobile app authenticators, enterprise SSO and SSL client certfs. Start reading there. The point is that it is not built into svn but httpd. Andreas
