access svn securely from the internet via sasl or ssh

[bo...@web.de]

Hi!

I have a Ubuntu server with an svn repository (only svnserve -d, no WebDAV). What would be the simplest way to make it securely available to the internet? I think svn+ssh is rather insecure because you give each user a right to write directly (low-level) into the svn-repository.
For, SASL, how much do I need to configure? Is it sufficient to add the following to the svn svnserve.conf:
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

Or do I really need all this extra configuration with sasl configuration:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/my_sasldb
mech_list: DIGEST-MD5
...
(as described in http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl ; section: Authentication with SASL)

I just need a connection to be as secure as regular ssh. :-) Thanks in advance!

Best, Philip
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987502

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: access svn securely from the internet via sasl or ssh

[Alec Kloss <al...@oracle.com>]

On 2008-12-19 13:08, Paul Koning wrote:
> >>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:
> 
>  Bob> Understood... but I am going by what the OP email said. And I
>  Bob> may misunderstand what he means. But... from what I gather...
> 
>  Bob> He wants the user to have rw access to the repository via the
>  Bob> svn client but does NOT want him to have rw file system access
>  Bob> to the repository folder.
> 
> Oops, I missed that.  
> 
> That requires setting up the server end so svnserve can run through an
> SSH tunne, but regular interactive access is denied.  That's easy.
> Assign the users to a "shell" which is a script that refuses to let in
> anything other than svnserve.  Something like this:
> 
>  # cat /usr/local/bin/svnonly.sh
> #!/bin/bash
> if [ "$*" = "-c svnserve -t" ]; then
>     svnserve -t
>     exit $?
> fi
> while true; do
>     date; sleep 600;
> done;
> 

Alternately, you can use sudo prior to running svnserve on the server
with SVN+SSH.  You allow people to run the real svnserve binary using 
a script like this:

#!/bin/sh
#

SVNSERVE=$(dirname $(realpath $0))/svnserve.bin

if [ -z "$SUDO_USER" ] ; then
        exec sudo "$0" "$@"
fi
exec $SVNSERVE "--tunnel-user=$SUDO_USER" "--root=/repos" "$@"

Also, plain svn protocol is at as secure as https if you're using a
SASL mechanism that uses AES-256 encryption.  

-- 
Alec.Kloss@oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987871

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: access svn securely from the internet via sasl or ssh

[Paul Koning <Pa...@dell.com>]

>>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:

 Bob> Understood... but I am going by what the OP email said. And I
 Bob> may misunderstand what he means. But... from what I gather...

 Bob> He wants the user to have rw access to the repository via the
 Bob> svn client but does NOT want him to have rw file system access
 Bob> to the repository folder.

Oops, I missed that.  

That requires setting up the server end so svnserve can run through an
SSH tunne, but regular interactive access is denied.  That's easy.
Assign the users to a "shell" which is a script that refuses to let in
anything other than svnserve.  Something like this:

 # cat /usr/local/bin/svnonly.sh
#!/bin/bash
if [ "$*" = "-c svnserve -t" ]; then
    svnserve -t
    exit $?
fi
while true; do
    date; sleep 600;
done;

	paul

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987685

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: access svn securely from the internet via sasl or ssh

[Bob Archer <Bo...@amsi.com>]

Understood... but I am going by what the OP email said. And I may
misunderstand what he means. But... from what I gather...

He wants the user to have rw access to the repository via the svn client
but does NOT want him to have rw file system access to the repository
folder.

BOb


> -----Original Message-----
> From: Paul Koning [mailto:Paul_Koning@dell.com]
> Sent: Friday, December 19, 2008 12:58 PM
> To: Bob Archer
> Cc: bobdole1@web.de; users@subversion.tigris.org
> Subject: RE: access svn securely from the internet via sasl or ssh
> 
> >>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:
> 
>  Bob> From the svn bool.  " When running over a tunnel, authorization
>  Bob> is primarily controlled by operating system permissions to the
>  Bob> repository's database files; it's very much the same as if Harry
>  Bob> were accessing the repository directly via a file:// URL."
> 
> Ok.
> 
>  Bob> That says to me that the *nix user that is logged in needs rw
>  Bob> access to the repository files in order to access the
>  Bob> repository.
> 
> That doesn't follow.  The access is done by the svnserve daemon, using
> the credentials of the server-side username that SSH connected to.  If
> that user has read-only access to the repository -- easy to do by
> setting the uid/gid appropriately -- then that should give you
> read-only access to the data.
> 
> 	  paul
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987678

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: access svn securely from the internet via sasl or ssh

[Paul Koning <Pa...@dell.com>]

>>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:

 Bob> From the svn bool.  " When running over a tunnel, authorization
 Bob> is primarily controlled by operating system permissions to the
 Bob> repository's database files; it's very much the same as if Harry
 Bob> were accessing the repository directly via a file:// URL."

Ok.

 Bob> That says to me that the *nix user that is logged in needs rw
 Bob> access to the repository files in order to access the
 Bob> repository. 

That doesn't follow.  The access is done by the svnserve daemon, using
the credentials of the server-side username that SSH connected to.  If
that user has read-only access to the repository -- easy to do by
setting the uid/gid appropriately -- then that should give you
read-only access to the data.

	  paul

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987674

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: access svn securely from the internet via sasl or ssh

[Bob Archer <Bo...@amsi.com>]

RE: access svn securely from the internet via sasl or ssh

[Paul Koning <Pa...@dell.com>]

>>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:

 Bob> Svn protocol isn't really secure. It is meant for intranets. SSH
 Bob> tunnel makes it secure but you said you don't want to give you
 Bob> users rw accsess to the repository. So, I think that only leaves
 Bob> moving to https via Apache. 

You can certainly deny read-write access when using svn+ssh.

	 paul

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987664

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: access svn securely from the internet via sasl or ssh

[Bob Archer <Bo...@amsi.com>]

Svn protocol isn't really secure. It is meant for intranets. SSH tunnel makes it secure but you said you don't  want to give you users rw accsess to the repository. So, I think that only leaves moving to https via Apache.

BOb


> -----Original Message-----
> From: bobdole1@web.de [mailto:bobdole1@web.de]
> Sent: Friday, December 19, 2008 10:07 AM
> To: users@subversion.tigris.org
> Subject: access svn securely from the internet via sasl or ssh
> 
> Hi!
> 
> I have a Ubuntu server with an svn repository (only svnserve -d, no
> WebDAV). What would be the simplest way to make it securely available to
> the internet? I think svn+ssh is rather insecure because you give each
> user a right to write directly (low-level) into the svn-repository.
> For, SASL, how much do I need to configure? Is it sufficient to add the
> following to the svn svnserve.conf:
> [sasl]
> use-sasl = true
> min-encryption = 128
> max-encryption = 256
> 
> Or do I really need all this extra configuration with sasl configuration:
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> sasldb_path: /etc/my_sasldb
> mech_list: DIGEST-MD5
> ...
> (as described in http://svnbook.red-
> bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnser
> ve.sasl ; section: Authentication with SASL)
> 
> I just need a connection to be as secure as regular ssh. :-) Thanks in
> advance!
> 
> Best, Philip
> ____________________________________________________________________
> Psssst! Schon vom neuen WEB.DE MultiMessenger gehört?
> Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123
> 
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=
> 987502
> 
> To unsubscribe from this discussion, e-mail: [users-
> unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=987611

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: access svn securely from the internet via sasl or ssh

[Boris Möller <bo...@web.de>]

Am Freitag 19 Dezember 2008 23:42:04 schrieb Alec Kloss:
> On 2008-12-19 13:08, Paul Koning wrote:
> > >>>>> "Bob" == Bob Archer <Bo...@amsi.com> writes:
> >
> >  Bob> Understood... but I am going by what the OP email said. And I
> >  Bob> may misunderstand what he means. But... from what I gather...
Yeah, exactly.
> >
> > That requires setting up the server end so svnserve can run through an
> > SSH tunne, but regular interactive access is denied.  That's easy.
> > Assign the users to a "shell" which is a script that refuses to let in
> > anything other than svnserve.  Something like this:
Well, actually I would like to have the option to use /bin/bash via ssh. (Actually the users use it for scp only currently.)

> >
> >  # cat /usr/local/bin/svnonly.sh
> > #!/bin/bash
> > if [ "$*" = "-c svnserve -t" ]; then
> >     svnserve -t
> >     exit $?
> > fi
> > while true; do
> >     date; sleep 600;
> > done;
>
> Alternately, you can use sudo prior to running svnserve on the server
> with SVN+SSH.  You allow people to run the real svnserve binary using
> a script like this:

Actually the server has only one user (meant as replacement for root) who is allowed to do sudo. But maybe I could just make a user "svn" with svnserve having setuid to "svn".
>
> #!/bin/sh
> #
>
> SVNSERVE=$(dirname $(realpath $0))/svnserve.bin
>
> if [ -z "$SUDO_USER" ] ; then
>         exec sudo "$0" "$@"
> fi
> exec $SVNSERVE "--tunnel-user=$SUDO_USER" "--root=/repos" "$@"

>
> Also, plain svn protocol is at as secure as https if you're using a
> SASL mechanism that uses AES-256 encryption.
Ok, so would it be sufficient to _only_ add
[sasl]
use-sasl = true
min-encryption = 256
max-encryption = 256
to the svnserve.conf? Or would I have to do all this extra stuff with say
 pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: /etc/my_sasldb
 mech_list: DIGEST-MD5
etc.

My current picture is that adding only these first three lines just encrypts the traffics. But it doesn't encrypt the password. (Although it seems that the password is already encrypted using a simple algorithm even if everything is turned off. It's not transfered as plain text.)

By the way, maybe I am just too paranoid. IIRC Git and Bazaar also allow direct access to the filesystem... ;-)

    Philip
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=988450

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].