You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Pe...@bench.com on 2004/12/22 18:43:01 UTC

svn + apache + ssl

Hello All,
 
I hope your all having a good holiday season so far.  I'm attempting to setup a SVN server.  My machine is RHEL 3 using Apache 2.0.52, mod_ssl 2.0.52, OpenSSL 0.9.7a, DAV 2, and SVN 1.1.1.  What I would like to accomplish is svn access through Apache and being authenticated using a single SSL x509 cert.  I have a group of local accounts that are chroot jailed, so straight svn access isn't something I can do (ex: svn co svn://ip/svn/repo).  So what I forsee is access through Apache which doesn't go through the local accounts (ex: svn co https://ip/svn/repo).  I understand that during the checkout, that it stores user credentials.  My problem is that I can 'co' just fine, but I can't edit and then commit.  Here is the command I used to create the working copy...
 
svn co --username testaccount --password testaccount https://192.168.1.254/svn/design
 
I created an account called 'testaccount'.  Here is the config portions that are relavent...
 
 
 
httpd.conf..
<Location /svn>
DAV svn
SVNParentPath /usr/local/subversion/repositories
 
# our access control policy
AuthzSVNAccessFile /usr/local/subversion/svn-auth-users-access
 
# try anonymous access first, resort to real
# authentication if necessary.
Require valid-user
 
SSLVerifyClient require
SSLVerifyDepth  2
 
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /usr/local/subversion/httpd-svn-auth-users-pw
</Location>
 
 
NOTE: The AuthUserFile directive above and the password-db are two different files but httpdxxx is htpasswd encrypted and the svn-authxxx is plain text.  Both containing the same info though.
 
 
svnserve.conf...
[general]
password-db = /usr/local/subversion/svn-auth-users-pw
realm = Design Engineering
 
# anonymous users aren't allowed
anon-access = none
 
# authenticated users can both read and write
auth-access = write
 
 
 
the svnserver is run as svn...
svn      32481  0.0  0.0  4936  940 ?        S    Dec21   0:00 /usr/local/bin/svnserve.orig -d -T -r /usr/local/subversion/repositories
 
 
 
I created the repo as such...
svnadmin create /usr/local/subversion/repositories/design
chown -R svn:svn *
chmod 775 design
chmod -R g=u design
/usr/local/bin/htpasswd -m /usr/local/subversion/httpd-svn-auth-users-pw testaccount
 
 
 
cat /usr/local/subversion/svn-auth-users-access
[groups]
everyone = testaccount
testaccount-host = 192.168.1.23
 
[design:/]
@everyone = rw
 
[testaccount-host]
ssl-client-cert-file = /usr/local/conf/ssl.users/sslusers.p12
ssl-client-cert-password = blah
 
 
 
 
I have created three sets of SSL certs (CA, Server, Client)...
ls /usr/local/conf/ssl.key
ca.csr  ca.key  server.csr  server.key  sslusers.csr  sslusers.key
 
ls /usr/local/conf/ssl.crt
ca.crt  server.crt  sslusers.crt
 
ls /usr/local/conf/ssl.users
sslusers.p12
 
 
 
I'm not sure what else to add here, but here is my problem...
 
svn co -username testaccount -password testaccount https://192.168.1.254/svn/design
svn commit -m "testing." --username testaccount --password testaccount
Authentication realm: https:// 192.168.1.254:443
Client certificate filename: /home/testaccount/sslusers.p12
Passphrase for '/home/testaccount/sslusers.p12':
Sending        nforce4/Config.lb
Transmitting file data .svn: Commit failed (details follow):
svn: PUT of '/svn/design/!svn/wrk/93cedd7b-d8eb-0310-b2c4-90868bc6e483/freebios2/targets/nvidia/nforce4/Config.lb': 403 Forbidden (https:// 192.168.1.254)
 
 
 
Any help is greatly appreciated.  Happy Holidays.
 
Cheers,
Pete