On Fri, Jul 30, 2010 at 1:19 PM, Stefan Sperling <s...@elego.de> wrote: > On Fri, Jul 30, 2010 at 12:17:50PM -0400, Nico Kadel-Garcia wrote: >> On Fri, Jul 30, 2010 at 8:49 AM, Stefan Sperling <s...@elego.de> wrote: >> > On Fri, Jul 30, 2010 at 07:56:50AM -0400, Nico Kadel-Garcia wrote: >> >> Don't use LDAP. One problem is that it will allow multiple users >> >> filesystem access to the Subversion repository, and *SOMEONE* is >> >> likely to screw it up for everyone else by trying to manually edit >> >> something in the repository in a large environment with multiple >> >> developers. >> > >> > I don't see any way how using LDAP with Subversion would allow local >> > filesystem access to users. Can you explain? >> >> It has to allow local filesystem access on the Subversion server >> itself: the Subversion repository needs to be accessible to the LDAP >> clients on that host. >> >> My use of the phrase "local filesystem accesm" was unclear in this matter. > > I still don't understand what kind of setup you are describing. > Is this with SSH or svnserve + SASL?
I was describing LDAP authentication for ssh+svn. This can actually be done with GSSAPI enabled SSH servers, such as with OpenSSH 5.x. The difficulty with it is that, without quite a lot of extra work, it relies on normal shell access to the SVN server to open the svnserve session. The use of authorized_keys for SSH works well to restrict this, but it's not LDAP authentication. > $ svn checkout https://www.example.com/repository/trunk repository_trunk > Authentication realm: <https://www.example.com> Example > Password for 'user': > ----------------------------------------------------------------------- > ATTENTION! Your password for authentication realm: > > <https://www.example.com> Example > > can only be stored to disk unencrypted! You are advised to configure > your system so that Subversion can store passwords encrypted, if > possible. See the documentation for details. > > You can avoid future appearances of this warning by setting the value > of the 'store-plaintext-passwords' option to either 'yes' or 'no' in > '/home/user/.subversion/servers'. > ----------------------------------------------------------------------- > Store password unencrypted (yes/no)? > > If you have suggestions for improving this warning, they are welcome. > But I think it is pretty straightforward already? It's staightforward: I was referring to its character as a warning, which it certainly is. > Sounds like you have not understood how to set up svn+ssh:// securely. > If you set svn+ssh:// access up securely by restricting the command > users can execute to the svnserve binary (as advised in the > documentation), there is no such issue. I understand it. (As a hint, I wrote the early SSH ports for ssh-1, ssh-2, and OpenSSH to SunOS: I'm very farmiliar with SSH.) I use authorized_keys, and have written previous guidelines and suggestions how to do so in at least 4 corporate environments. For LDAP based SSH access, well, you don't get authorized_keys based command line restrictions, now do you? > If you know of a way to change hook scripts by talking svn protocol > to the svnserve binary, please let us know how you do it. > Because, yes, that would be a security issue. > > Stefan No, no. It's the integration of LDAP authentication the interferes with restricting the ssh+svn access to strictly ssh+svn, and allows access to the filesystem of the Subversion server via ssh, scp, and possibly sftp.
