Hello, On Tue, Feb 23, 2021 at 3:23 AM Yasuhito FUTATSUKI <futat...@yf.bsdclub.org> wrote: > > Hello, > > On 2021/02/23 2:40, CoolCold wrote: > > Good day! > > (please CC me, I'm not subscribed to the list) > > > > A bit of context: > > I was using subversion to store my serves' configs versioned for > > almost a decade, with bash wrapping around it. Simplified, it had repo > > per server name, wrapper called by cron to checkout, rsync over, > > commit changes back, sending email on diffs ( > > https://github.com/coolcold/svnbackup ). Had no issue with it, when > > password store was enabled. It's runned under root user and saved > > credentials are not exposed to non-admin users on the system. > > > > Issue: with recent changes hitting packages in distributions ( > > https://marc.info/?l=subversion-commits&m=154101482302608&w=2 ), that > > seems to be not possible anymore. > > I did adjust my script to use command line switch --password, but this > > makes it visible for anyone who does simple commands like ps aux. > > I've tried to look around for possible support of environment > > variables / password file support, but couldn't find any except some > > old proposals like > > http://subversion.1072662.n5.nabble.com/Feature-proposal-SVN-USERNAME-and-SVN-PASSWORD-environment-variables-td180031.html > > > > Rebuilding subversion from source is not an option for many reasons. > > > > Seeking for your help on this, what is the proper way of doing this > > with recent versions? > > Thanks in advance. > > For this purpose, I'm just using svn+ssh:// with dedicated user on > server side and public key authentication with empty pass phrase. > > e.g. svn+ssh://svn-ag...@svnhost.example.org/repo/ > > On svnhost.example.org, authorized_key file for user svn-agent could be: > [[[ > # only for svn agent via ssh. all lines shoud be started with following > # command and option specification: > command="/usr/bin/svnserve -t -r /base/path/to/repo > --tunnel-user=root-on-hostA",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty > ssh-ed25519 (public key A) r...@hosta.example.org > command="/usr/bin/svnserve -t -r /base/path/to/repo > --tunnel-user=root-on-hostB",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty > ssh-ed25519 (public key B) r...@hostb.example.org > ... > ]]] Thanks for sharing this - I still see such a way as a workaround, but as a reasonable workaround. One may want to prefer it due to data transfer encryption it provides. >From the other side, it's a trade of "cleartext" password vs "unprotected ssh key" (while key can be IP bound in .ssh/authorized_keys thus making it a bit better protected in case of leakage). > > Cf. > http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks > > If you want to use ssh key other than default key or alternative tcp port > other than 22, you can use them by overriding ssh tunnel setting with SVN_SSH > environment variable or config file, etc. (Of course, if you want to use non > standard port for ssh connection you also need to change configuration of > sshd on server side). > > Cheers, > -- > Yasuhito FUTATSUKI <futat...@yf.bsclub.org>
-- Best regards, [COOLCOLD-RIPN]
