How to configure Apache2+SVN+PAM

[Alexandre Moraes <al...@gmail.com>]

Hi,

I´m looking through the web but it´s hard to find how to configure
PAM+Apache2+Svn.

Anyone can help me or tell me some documentation?

Thanks

Alexandre Moraes
-- 
View this message in context: http://www.nabble.com/How-to-configure-Apache2%2BSVN%2BPAM-tp25194296p25194296.html
Sent from the Subversion Users mailing list archive at Nabble.com.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388345

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Andy Levy <an...@gmail.com>]

On Mon, Aug 31, 2009 at 07:38, Nico Kadel-Garcia<nk...@gmail.com> wrote:
> On Mon, Aug 31, 2009 at 2:26 AM, Andrey Repin<an...@freemail.ru> wrote:
>> Greetings, Nico Kadel-Garcia!
>>
>>> On Mon, Aug 31, 2009 at 1:31 AM, Jason Malinowski<ja...@jason-m.com> wrote:
>>>>> Most of my acquaintances use TortoiseSVN (which is admittedly better
>>>>> about this and has been for ages.)
>>>>
>>>> TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.
>>>>
>>>> Jason Malinowski
>>
>>> Good. It's fixed in Windows. (Doesn't fix it in UNIX or Linux, but
>>> that's a good step.)
>>
>> 3'rd message and you didn't bothered reading replies to your posts in a whole.
>> Go back and read them please.
>
> Are you referring to Ryan's? And his reference to the wallets? Those
> ae out-of-band wrappers, and don't fix the underlying problem.

How are they "out of band wrappers"? the functionality is included in
the official source.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388871

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Nico Kadel-Garcia <nk...@gmail.com>]

On Mon, Aug 31, 2009 at 2:26 AM, Andrey Repin<an...@freemail.ru> wrote:
> Greetings, Nico Kadel-Garcia!
>
>> On Mon, Aug 31, 2009 at 1:31 AM, Jason Malinowski<ja...@jason-m.com> wrote:
>>>> Most of my acquaintances use TortoiseSVN (which is admittedly better
>>>> about this and has been for ages.)
>>>
>>> TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.
>>>
>>> Jason Malinowski
>
>> Good. It's fixed in Windows. (Doesn't fix it in UNIX or Linux, but
>> that's a good step.)
>
> 3'rd message and you didn't bothered reading replies to your posts in a whole.
> Go back and read them please.

Are you referring to Ryan's? And his reference to the wallets? Those
ae out-of-band wrappers, and don't fix the underlying problem.

This is an old set of issues: storing the passwords in cleartext was a
bad idea from day one, and it's been band-aids and duct tape trying to
close the holes on it ever since.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388861

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Andrey Repin <an...@freemail.ru>]

Greetings, Nico Kadel-Garcia!

> On Mon, Aug 31, 2009 at 1:31 AM, Jason Malinowski<ja...@jason-m.com> wrote:
>>> Most of my acquaintances use TortoiseSVN (which is admittedly better
>>> about this and has been for ages.)
>>
>> TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.
>>
>> Jason Malinowski

> Good. It's fixed in Windows. (Doesn't fix it in UNIX or Linux, but
> that's a good step.)

3'rd message and you didn't bothered reading replies to your posts in a whole.
Go back and read them please.


--
WBR,
 Andrey Repin (anrdaemon@freemail.ru) 31.08.2009, <10:25>

Sorry for my terrible english...

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388760

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Nico Kadel-Garcia <nk...@gmail.com>]

On Mon, Aug 31, 2009 at 1:31 AM, Jason Malinowski<ja...@jason-m.com> wrote:
>> Most of my acquaintances use TortoiseSVN (which is admittedly better
>> about this and has been for ages.)
>
> TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.
>
> Jason Malinowski

Good. It's fixed in Windows. (Doesn't fix it in UNIX or Linux, but
that's a good step.)

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388748

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: How to configure Apache2+SVN+PAM

[Jason Malinowski <ja...@jason-m.com>]

> Most of my acquaintances use TortoiseSVN (which is admittedly better
> about this and has been for ages.)

TortoiseSVN uses the same Crypto APIs as the command line packages. Thus, passwords aren't stored in plaintext.

Jason Malinowski


> -----Original Message-----
> From: Nico Kadel-Garcia [mailto:nkadel@gmail.com]
> Sent: Sunday, August 30, 2009 9:37 PM
> To: Ryan Schmidt
> Cc: Alexandre Moraes; Subversion Users
> Subject: Re: How to configure Apache2+SVN+PAM
> 
> On Sat, Aug 29, 2009 at 10:42 PM, Ryan
> Schmidt<su...@ryandesign.com> wrote:
> >
> > On Aug 29, 2009, at 09:44, Nico Kadel-Garcia wrote:
> >
> >>> I´m looking through the web but it´s hard to find how to configure
> >>> PAM+Apache2+Svn.
> >>
> >> [ Yes, I rant about this. Yes, I am a broken record, but it needs
> >> repeating for new users. ]
> >>
> >> *DON'T*. Seriously. Unless you can assure that your clients are not
> >> going to use the default subversion clients, which store passwords in
> >> cleartext by default, any such service is a serious security pitfall.
> >
> > In a message last week that you did not respond to, I replied [1] to your
> 
> Didn't notice your message. Sorry bout that, this isn't a full-time
> hobby, and I don't want to achieve 'net.kook' status for my concerns
> about this.
> 
> > prior rant on this topic a week ago explaining that the Subversion client
> > does not store passwords in clear text anymore for most users. I referred
> > you to the Subversion 1.6, 1.4, and 1.2 release notes which state that this
> > is so. Are you saying this is not correct, or that the implementation is
> > flawed? Please elaborate.
> 
> The *reference*, UNIX and Linux versions, store passwords in
> $HOME/.svn/auth/.  You made claims that the "Windows" version of
> Subversion does not commit this hideous this security obscenity. Is
> this the CollabNet published client? If so, who in the heck uses that?
> Most of my acquaintances use TortoiseSVN (which is admittedly better
> about this and has been for ages.)
> 
> That's good if it's better in Windows. But the Subversion tools
> underlying the Gnome and KDE wallets, namely 'svn' itself, still
> stores $HOME/.svn/auth keys. The Gnome and KDE wallets don't remove
> those, unless the've gotten *really* clever in the last year or two.
> They just provide another access method to first store the keys, when
> you have your Gnome or KDE session open. Try to run it from a
> Makefile, or a cron job or another automated build structure, and you
> have a problem.
> 
> The wallets are nice, especially for managing svn+ssh keys. Since they
> exist, though, why is the code even present for putting keys in
> $HOME/.svn/auth? Why isn't auto-store turned off by default, instead
> of merely with a warning?
> 
> Ryan, these have been issues for years: Stapling wallets on top of
> them helps, but the use of password and security wallets are not
> enforced in the UNIX/Linux world.
> 
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=238
> 8739
> 
> To unsubscribe from this discussion, e-mail: [users-
> unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388745

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Nico Kadel-Garcia <nk...@gmail.com>]

On Sat, Aug 29, 2009 at 10:42 PM, Ryan
Schmidt<su...@ryandesign.com> wrote:
>
> On Aug 29, 2009, at 09:44, Nico Kadel-Garcia wrote:
>
>>> I´m looking through the web but it´s hard to find how to configure
>>> PAM+Apache2+Svn.
>>
>> [ Yes, I rant about this. Yes, I am a broken record, but it needs
>> repeating for new users. ]
>>
>> *DON'T*. Seriously. Unless you can assure that your clients are not
>> going to use the default subversion clients, which store passwords in
>> cleartext by default, any such service is a serious security pitfall.
>
> In a message last week that you did not respond to, I replied [1] to your

Didn't notice your message. Sorry bout that, this isn't a full-time
hobby, and I don't want to achieve 'net.kook' status for my concerns
about this.

> prior rant on this topic a week ago explaining that the Subversion client
> does not store passwords in clear text anymore for most users. I referred
> you to the Subversion 1.6, 1.4, and 1.2 release notes which state that this
> is so. Are you saying this is not correct, or that the implementation is
> flawed? Please elaborate.

The *reference*, UNIX and Linux versions, store passwords in
$HOME/.svn/auth/.  You made claims that the "Windows" version of
Subversion does not commit this hideous this security obscenity. Is
this the CollabNet published client? If so, who in the heck uses that?
Most of my acquaintances use TortoiseSVN (which is admittedly better
about this and has been for ages.)

That's good if it's better in Windows. But the Subversion tools
underlying the Gnome and KDE wallets, namely 'svn' itself, still
stores $HOME/.svn/auth keys. The Gnome and KDE wallets don't remove
those, unless the've gotten *really* clever in the last year or two.
They just provide another access method to first store the keys, when
you have your Gnome or KDE session open. Try to run it from a
Makefile, or a cron job or another automated build structure, and you
have a problem.

The wallets are nice, especially for managing svn+ssh keys. Since they
exist, though, why is the code even present for putting keys in
$HOME/.svn/auth? Why isn't auto-store turned off by default, instead
of merely with a warning?

Ryan, these have been issues for years: Stapling wallets on top of
them helps, but the use of password and security wallets are not
enforced in the UNIX/Linux world.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388739

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Ryan Schmidt <su...@ryandesign.com>]

On Aug 29, 2009, at 09:44, Nico Kadel-Garcia wrote:

>> I´m looking through the web but it´s hard to find how to configure
>> PAM+Apache2+Svn.
>
> [ Yes, I rant about this. Yes, I am a broken record, but it needs
> repeating for new users. ]
>
> *DON'T*. Seriously. Unless you can assure that your clients are not
> going to use the default subversion clients, which store passwords in
> cleartext by default, any such service is a serious security pitfall.

In a message last week that you did not respond to, I replied [1] to  
your prior rant on this topic a week ago explaining that the  
Subversion client does not store passwords in clear text anymore for  
most users. I referred you to the Subversion 1.6, 1.4, and 1.2 release  
notes which state that this is so. Are you saying this is not correct,  
or that the implementation is flawed? Please elaborate.


[1] http://svn.haxx.se/users/archive-2009-08/0550.shtml

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388601

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: How to configure Apache2+SVN+PAM

[Nico Kadel-Garcia <nk...@gmail.com>]

On Fri, Aug 28, 2009 at 1:58 PM, Alexandre Moraes<al...@gmail.com> wrote:
> Hi,
>
> I´m looking through the web but it´s hard to find how to configure
> PAM+Apache2+Svn.

[ Yes, I rant about this. Yes, I am a broken record, but it needs
repeating for new users. ]

*DON'T*. Seriously. Unless you can assure that your clients are not
going to use the default subversion clients, which store passwords in
cleartext by default, any such service is a serious security pitfall.
Subversion 1.6.x imporoved the situation somewhat with the change to
ask the client before storing the passwords that way, but that should
have *NEVER* been the default behavior of the client: it's led to a
host of truly awful security practices, especially in environments
(such as you are describing) where the user's normal login password
would be used for subversion HTTPS access.

There are clients that do not do this, and that implement considerably
more secure wallets, but unless you actually delete the binary or
deliberately edit svn source code to disable password handling (which
I've done in the past!), you can't prevent arbitrary clients from
discarding any pretense of site security.

Use HTTP access only for anonymous, unauthorized site-wide access. Use
HTTPS only for SSL key access, not password access, especially do not
use it for passwords based on your normal login passwords. And use
svn+ssh with public key management to provide protected access, unless
you want those passwords published in the readable
$HOME/.subversion/auth/ directory of every UNIX or Linux client.

Now, with all that ranting over:

If you have your heart set on this, it works well in RHEL 5 and recent
Fedora versions with the built-in httpd, mod_dav_svn, and some merging
from the kerberos configuguration utilities in /etc/httpd/conf.d/ into
the subversion.conf file there. What OS are you working with, which
Subversion and which 'Apache2'?

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388537

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].