You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Florian Pose <fl...@keenkiwi.de> on 2006/03/09 17:56:55 UTC
svnserve authentication without passwd file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
I find it very convenient that Subversion uses the current (OS-)user for
authentication when accessing the repository through an SSH tunnel.
In a local network, I consider the SSH tunnel to produce too much
overhead, and I would like to use "normal" access through svnserve.
Unfortunately I have to supply svnserve with an extra passwd file.
Is there any way to make svnserve use the current-user information for
authentication? Or would that be insecure?
Thanks,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEGxjTSAdWevar50RAptPAKCFz0esrwCLCr3aGh/y9891C5q5MgCfUcHG
mg5+K0ky//cXXxi5j+kDHMg=
=n65q
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Jim Correia <ji...@pobox.com>.
On Mar 9, 2006, at 2:14 PM, Phillip Susi wrote:
> What makes you think that SSH adds too much overhead? It only adds
> a little cpu load to the client and server; you really shouldn't
> notice it.
Using ssh can add measurable per connection overhead. It is the
reason why tools like fsh <http://www.lysator.liu.se/fsh/> exist.
For example, on my Dual 1.25GHz G4 (not a top of the line machine,
but by no means slow hardware) using svn+ssh:// to localhost instead
of svn:// or file:// results in a fixed overhead of about 1.8s for an
svn ls.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Florian Pose <fl...@keenkiwi.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ryan Schmidt wrote:
>> When there is no need for the strong encryption SSH provides, why then
>> burden the server with the extra load?
>
> Because, aside from the benefit of ssh encryption, or the drawback of
> extra cpu cycles, depending on how you see it, svn+ssh also provides the
> feature you asked for: authentication via system user accounts.
That's why I used it that way, at least up to now.
Does svnserve just assume the current system user is authenticated when
it is called with the -t option?
>> Since the repository is used only in the intranet (or from outside
>> through VPN), the Apache solution is not really interesting for me.
>
> We use Apache to serve our repository which is only usually accessed
> internally within our company. Why do you think this configuration isn't
> relevant? We find it very handy to be able to set up Apache to
> authenticate to our LDAP server, which is the same LDAP server we use
> within the base OS for user account authentication. And our
> administrators already know how to administer an Apache server. I'm sure
> we also could have used the svn+ssh setup but since we're a web
> development shop the Apache solution was the most natural for us.
Ok, sounds really handy indeed. Nevertheless I have neither an LDAP
server for authentication, nor an Apache server running so far. So for
me, the straight-forward solution is the one with svnserve (resp.
svnserve/SSH).
Best regards,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEJBITSAdWevar50RAjOeAJ94CPA6MugDcH5lFlJxt8Dd7XUsRgCfRPke
XiE+gO/HPbImqpB/fjdR2Bk=
=Pxzc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Mar 9, 2006, at 20:39, Florian Pose wrote:
>> What makes you think that SSH adds too much overhead? It only adds a
>> little cpu load to the client and server; you really shouldn't
>> notice it.
>
> When there is no need for the strong encryption SSH provides, why then
> burden the server with the extra load?
Because, aside from the benefit of ssh encryption, or the drawback of
extra cpu cycles, depending on how you see it, svn+ssh also provides
the feature you asked for: authentication via system user accounts.
>> You can use https instead and authenticate with a client certificate,
>> but AFAIK, there isn't anything like ssh-agent for SSL
>> certificates, so
>> either the user will have to enter their password each time to
>> decrypt
>> their certificate, or store the certificate on disk unencrypted,
>> which
>> isn't good for security since anyone who manages to read that file
>> can
>> impersonate the user.
>
> Since the repository is used only in the intranet (or from outside
> through VPN), the Apache solution is not really interesting for me.
We use Apache to serve our repository which is only usually accessed
internally within our company. Why do you think this configuration
isn't relevant? We find it very handy to be able to set up Apache to
authenticate to our LDAP server, which is the same LDAP server we use
within the base OS for user account authentication. And our
administrators already know how to administer an Apache server. I'm
sure we also could have used the svn+ssh setup but since we're a web
development shop the Apache solution was the most natural for us.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Phillip Susi <ps...@cfl.rr.com>.
Florian Pose wrote:
> Hi Phillip!
>
>
> Thanks, this is what I wanted to know.
>
> BTW, couldn't one abuse this, by setting the $USER variable and then
> communicate with svnserve in tunnel mode?
>
Yes, they could, just like they could just ssh into the server and rm
-fr the entire repository. That's why you only give out accounts to
users you trust, or set their login shell to a restricted one that only
allows you to run svnserve, and nothing else ( such as change the
environment ).
> Ah, no, because in doubt the svnserve process wouldn't have enough
> rights on the repository files.
>
No, the user accounts must have access to the repository because
svnserve runs under their account.
> Now everything is clear! Thanks again!
>
> Best regards,
> Florian
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Florian Pose <fl...@keenkiwi.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Phillip!
Phillip Susi wrote:
> Because sshd invokes svnserv which causes it to not perform any
> authentication and use the $USER from the environment in commit
> messages. When you run svnserv in standalone mode, it is accepting
> remote connections, so it has to figure out who is connecting.
Thanks, this is what I wanted to know.
BTW, couldn't one abuse this, by setting the $USER variable and then
communicate with svnserve in tunnel mode?
Ah, no, because in doubt the svnserve process wouldn't have enough
rights on the repository files.
Now everything is clear! Thanks again!
Best regards,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEKaQTSAdWevar50RAssuAKCxyiCKRMT9gDXYqmlO5kDDJ0mV8gCfSrHB
mK5GAoCRJfenIeIHpkKBFoo=
=VIU8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Phillip Susi <ps...@cfl.rr.com>.
Florian Pose wrote:
> I know this, since it all stands in the book. Why are
> svn+ssh-connections treated as authenticated by default (see below)?
>
Because sshd invokes svnserv which causes it to not perform any
authentication and use the $USER from the environment in commit
messages. When you run svnserv in standalone mode, it is accepting
remote connections, so it has to figure out who is connecting.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Florian Pose <fl...@keenkiwi.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Phillip Susi wrote:
> That is because subversion doesn't even know you are connected remotely
> with the ssh tunnel. SSH logs in to the server, and invokes subversion
> just as if you were logged on locally at the server. The server doesn't
> handle any part of the login. When you run svnserve, it is listening
> for connections and it must authenticate the user.
I know this, since it all stands in the book. Why are
svn+ssh-connections treated as authenticated by default (see below)?
$ svnadmin create rep
$ emacs rep/conf/svnserve.conf (set anon-access to "none")
$ svn co svn://localhost/.../rep wc1
svn: No access allowed to this repository
$ svn co svn+ssh://localhost/.../svn-auth/rep wc1
Ausgecheckt, Revision 0.
If, as you say, svnserve doesn't care about how it is invoked, why this
behavior?
>> When there is no need for the strong encryption SSH provides, why then
>> burden the server with the extra load?
>
> I think this is another case of wrong optimization. Optimize the
> bottleneck first. Unless you have done some profiling and know that ssh
> is chewing up a lot of time, then you are barking up the wrong tree.
> I'll bet money that the extra cpu overhead that ssh adds is negligible,
> but the only way to know for sure is to profile it.
I, too, assume that ssh adds no significantly load to the server, and
this isn't worth discussing about, but why use an additional technology
that gives me no overvalue?
>> Since the repository is used only in the intranet (or from outside
>> through VPN), the Apache solution is not really interesting for me.
>
> Why not? It does what you need, so what's the fact that you're only
> using it on a local network got to do with it? Also it frees you from
> having to use the kludgey VPN junk to access the repository securely
> from anywhere in the world.
I don't want a security discussion, but setting up a public webserver
just to handle subversion access seems to be ripping up more possible
security holes than using it with the VPN that runs anyway. Moreover,
the VPN technology used (OpenVPN) uses SSL, too.
Best regards,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEJTfTSAdWevar50RAmyoAKCL1BLWYsMZLTr11r3Ovxw5Q0EyxwCfVCeU
rW6LgKyxrcXLlgo4Yhkm2Ho=
=Lndd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Phillip Susi <ps...@cfl.rr.com>.
Florian Pose wrote:
> I noticed that Subversion treats SSH-tunneled connections as
> "authenticated" and sets the user name in the logs correctly. If I
> connect to the repository via local- or svnserve-access, the connection
> is treated as "unauthenticated" by default.
>
>
That is because subversion doesn't even know you are connected remotely
with the ssh tunnel. SSH logs in to the server, and invokes subversion
just as if you were logged on locally at the server. The server doesn't
handle any part of the login. When you run svnserve, it is listening
for connections and it must authenticate the user.
> I inferred, that the tunneled access gets a special treatment. I just
> wondered how this is done and if it can be done similarly in non-SSH
> connections.
>
>
See above.
> When there is no need for the strong encryption SSH provides, why then
> burden the server with the extra load?
>
>
I think this is another case of wrong optimization. Optimize the
bottleneck first. Unless you have done some profiling and know that ssh
is chewing up a lot of time, then you are barking up the wrong tree.
I'll bet money that the extra cpu overhead that ssh adds is negligible,
but the only way to know for sure is to profile it.
>> You can use https instead and authenticate with a client certificate,
>> but AFAIK, there isn't anything like ssh-agent for SSL certificates, so
>> either the user will have to enter their password each time to decrypt
>> their certificate, or store the certificate on disk unencrypted, which
>> isn't good for security since anyone who manages to read that file can
>> impersonate the user.
>>
>
> Since the repository is used only in the intranet (or from outside
> through VPN), the Apache solution is not really interesting for me.
>
Why not? It does what you need, so what's the fact that you're only
using it on a local network got to do with it? Also it frees you from
having to use the kludgey VPN junk to access the repository securely
from anywhere in the world.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Florian Pose <fl...@keenkiwi.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Phillip Susi wrote:
> Subversion has no understanding of user logins of any particular OS. If
> you are using SSH then the user either has to supply a password or a
> private key. That private key may be obtained from ssh-agent if the
> user is using that and set up their environment to tell ssh to talk to
> ssh-agent, but subversion has no concept of login beyond the fact that
> ssh can connect to the server.
I noticed that Subversion treats SSH-tunneled connections as
"authenticated" and sets the user name in the logs correctly. If I
connect to the repository via local- or svnserve-access, the connection
is treated as "unauthenticated" by default.
I inferred, that the tunneled access gets a special treatment. I just
wondered how this is done and if it can be done similarly in non-SSH
connections.
> What makes you think that SSH adds too much overhead? It only adds a
> little cpu load to the client and server; you really shouldn't notice it.
When there is no need for the strong encryption SSH provides, why then
burden the server with the extra load?
> You can use https instead and authenticate with a client certificate,
> but AFAIK, there isn't anything like ssh-agent for SSL certificates, so
> either the user will have to enter their password each time to decrypt
> their certificate, or store the certificate on disk unencrypted, which
> isn't good for security since anyone who manages to read that file can
> impersonate the user.
Since the repository is used only in the intranet (or from outside
through VPN), the Apache solution is not really interesting for me.
Thanks,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEISITSAdWevar50RArNnAJ90vEujpyyNGUpnbQpdOj0AqnhrLgCgslQc
+jKkF1mXfL0xksHK1JerI9c=
=3h2V
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Phillip Susi <ps...@cfl.rr.com>.
Florian Pose wrote:
> Hi all!
>
> I find it very convenient that Subversion uses the current (OS-)user for
> authentication when accessing the repository through an SSH tunnel.
>
>
Subversion has no understanding of user logins of any particular OS. If
you are using SSH then the user either has to supply a password or a
private key. That private key may be obtained from ssh-agent if the
user is using that and set up their environment to tell ssh to talk to
ssh-agent, but subversion has no concept of login beyond the fact that
ssh can connect to the server.
> In a local network, I consider the SSH tunnel to produce too much
> overhead, and I would like to use "normal" access through svnserve.
> Unfortunately I have to supply svnserve with an extra passwd file.
>
>
What makes you think that SSH adds too much overhead? It only adds a
little cpu load to the client and server; you really shouldn't notice it.
> Is there any way to make svnserve use the current-user information for
> authentication? Or would that be insecure?
You can use https instead and authenticate with a client certificate,
but AFAIK, there isn't anything like ssh-agent for SSL certificates, so
either the user will have to enter their password each time to decrypt
their certificate, or store the certificate on disk unencrypted, which
isn't good for security since anyone who manages to read that file can
impersonate the user.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authentication without passwd file
Posted by Florian Pose <fl...@keenkiwi.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Florian Pose wrote:
> Is there any way to make svnserve use the current-user information for
> authentication? Or would that be insecure?
Ok, I answered the question by myself. There is no way for svnserve to
know, which user is connecting...
Anyway, providing a redundant passwd file does not seem to be nice for me...
What is your opinion?
Thanks,
Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEEG3BTSAdWevar50RAjaTAJ0bviHF/n+PfI/dYTZibucD7ScJTQCcDiWB
8YNH72R/aLmF3XM7ZDoV1oY=
=zwNh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org