Re: svnserv + ssh + ldap

Nico Kadel-Garcia wrote: >> $ export `gnome-keyring-daemon` > > Good, but ouch. Let's try adding a bit of rigor, shall we? First, > before running such a daemon, always check that it actually exists, > where you expect it to exist. Running random commands that will handle > passwords which may ha

Re: svnserv + ssh + ldap

On Mon, Aug 2, 2010 at 8:22 AM, Nico Kadel-Garcia wrote: > Good, but ouch. Let's try adding a bit of rigor, shall we? First, > before running such a daemon, always check that it actually exists, > where you expect it to exist. Running random commands that will handle > passwords which may have bee

Re: svnserv + ssh + ldap

On Sun, Aug 1, 2010 at 1:37 PM, Mark Phippard wrote: > On Sun, Aug 1, 2010 at 12:59 PM, Nico Kadel-Garcia wrote: >>> AFAIK it's possible to run gnome-keyring without X. >> >> It's painful. Take a glance at >> http://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x, >> which do

Re: svnserv + ssh + ldap

On Sun, Aug 01, 2010 at 12:59:08PM -0400, Nico Kadel-Garcia wrote: > >> I've given a few specific examples. While it's gotten better and > >> you've addressed some of my concerns, my overall concerns still stand. > >> Cleartext password storage is a big problem, frequently ignored by > >> deployers

Re: svnserv + ssh + ldap

On Sun, Aug 01, 2010 at 12:59:08PM -0400, Nico Kadel-Garcia wrote: > Or as a 3rdparty add-on. anoncvs doesn't cut it: using a shell script > as a restricted shell is begging for people to break out of the shell > and gain command line access. Shell script? You didn't even bother looking at the fil

Re: svnserv + ssh + ldap

On Sun, Aug 1, 2010 at 12:59 PM, Nico Kadel-Garcia wrote: >> AFAIK it's possible to run gnome-keyring without X. > > It's painful. Take a glance at > http://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x, > which documents manually editing /etc/pam.d/ login settings. It's als

Re: svnserv + ssh + ldap

On Sun, Aug 1, 2010 at 5:23 AM, Stefan Sperling wrote: > On Sat, Jul 31, 2010 at 10:22:42PM -0400, Nico Kadel-Garcia wrote: >> On Sat, Jul 31, 2010 at 9:12 AM, Stefan Sperling wrote: >> > Fortunately, today, we have support for KDE Wallet and Gnome Keyring. >> > So you can set up a secure passwor

Re: svnserv + ssh + ldap

On Sat, Jul 31, 2010 at 10:22:42PM -0400, Nico Kadel-Garcia wrote: > On Sat, Jul 31, 2010 at 9:12 AM, Stefan Sperling wrote: > > Fortunately, today, we have support for KDE Wallet and Gnome Keyring. > > So you can set up a secure password cache on *nix, if you have KDE > > or Gnome, at least. > >

Re: svnserv + ssh + ldap

On Sat, Jul 31, 2010 at 9:12 AM, Stefan Sperling wrote: > On Fri, Jul 30, 2010 at 11:55:20PM -0400, Nico Kadel-Garcia wrote: >> No, it's harsh experience since version 1.2 (when I started helping >> rebuild it and rebundle it for Dag's RPM repository, now RPMfoge). The >> UNIX/Linux clients should

Re: svnserv + ssh + ldap

On Sat, Jul 31, 2010 at 08:18:37AM -0400, Nico Kadel-Garcia wrote: > And by the way: my spelling is not usually as bad as this note was. My > RSI is flaring up, probably my own fault. I feel your pain, I get that, too. Cycling regularly and the gym helps an awful lot. You need to get your blood fl

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 11:55:20PM -0400, Nico Kadel-Garcia wrote: > No, it's harsh experience since version 1.2 (when I started helping > rebuild it and rebundle it for Dag's RPM repository, now RPMfoge). The > UNIX/Linux clients should *never* have been permitted to store > passwords. You forgot

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 11:55 PM, Nico Kadel-Garcia wrote: > No, it's harsh experience since version 1.2 (when I started helping > rebuild it and rebundle it for Dag's RPM repository, now RPMfoge). The > UNIX/Linux clients should *never* have been permitted to store > passwords. That's a genuinel

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 6:50 PM, Stefan Sperling wrote: > On Fri, Jul 30, 2010 at 05:51:42PM -0400, Nico Kadel-Garcia wrote: >> It's the integration of LDAP authentication the interferes >> with restricting the ssh+svn access to strictly ssh+svn, and allows >> access to the filesystem of the Subve

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 05:51:42PM -0400, Nico Kadel-Garcia wrote: > It's the integration of LDAP authentication the interferes > with restricting the ssh+svn access to strictly ssh+svn, and allows > access to the filesystem of the Subversion server via ssh, scp, and > possibly sftp. I see. Well,

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 1:19 PM, Stefan Sperling wrote: > On Fri, Jul 30, 2010 at 12:17:50PM -0400, Nico Kadel-Garcia wrote: >> On Fri, Jul 30, 2010 at 8:49 AM, Stefan Sperling wrote: >> > On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote: >> >> Don't use LDAP. One problem is that

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 12:17:50PM -0400, Nico Kadel-Garcia wrote: > On Fri, Jul 30, 2010 at 8:49 AM, Stefan Sperling wrote: > > On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote: > >> Don't use LDAP. One problem is that it will allow multiple users > >> filesystem access to the Su

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 8:49 AM, Stefan Sperling wrote: > On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote: >> Don't use LDAP. One problem is that it will allow multiple users >> filesystem access to the Subversion repository, and *SOMEONE* is >> likely to screw it up for everyone

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 04:20:14PM +0200, Nils Wilhelm wrote: > Hi there, > > Stefan Sperling wrote: > >If I understood correctly, the question was about using Subversion > >with SSH and LDAP. > You're right. > > i have installed the server by using this tutorial > http://jimmyg.org/blog/2007/sub

Re: svnserv + ssh + ldap

Hi there, Stefan Sperling wrote: If I understood correctly, the question was about using Subversion with SSH and LDAP. You're right. i have installed the server by using this tutorial http://jimmyg.org/blog/2007/subversion-over-svnssh-on-debian.html So what i have now is a subversion serv

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote: > Don't use LDAP. One problem is that it will allow multiple users > filesystem access to the Subversion repository, and *SOMEONE* is > likely to screw it up for everyone else by trying to manually edit > something in the repository

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 07:56, Nico Kadel-Garcia wrote: > On Thu, Jul 29, 2010 at 8:51 AM, Nils Wilhelm wrote: >> Hi there, >> >> i need your help getting an overview and configuring a subversion server. >> What i have to do is setting up a subversion server using ldap and ssh. >> After reading s

Re: svnserv + ssh + ldap

On Thu, Jul 29, 2010 at 8:51 AM, Nils Wilhelm wrote: > Hi there, > > i need your help getting an overview and configuring a subversion server. > What i have to do is setting up a subversion server using ldap and ssh. > After reading some theory about it i'm totally confused :-) So i hope you > can

RE: svnserv + ssh + ldap

> -Original Message- > From: Nils Wilhelm [mailto:mur...@planet-of-art.de] > Sent: 30 July 2010 00:58 > To: users@subversion.apache.org > Subject: Re: svnserv + ssh + ldap > > Hi there, > > this is in addition to my last post: > > If i use > - svn://

Re: svnserv + ssh + ldap

On Fri, Jul 30, 2010 at 01:57:53AM +0200, Nils Wilhelm wrote: > Hi there, > > this is in addition to my last post: > > If i use > - svn:// protocol everything will be sent in plain text so this will > have security issues -> not usable for me > - svn+ssh:// protocol i need an account on the serve

Re: svnserv + ssh + ldap

Hi there, this is in addition to my last post: If i use - svn:// protocol everything will be sent in plain text so this will have security issues -> not usable for me - svn+ssh:// protocol i need an account on the server for every person for two reasons: The authentication using ssh and to man