You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by baz themail <ba...@gmail.com> on 2009/09/23 17:49:24 UTC
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Thanks for your reply.
Anyone can give me a procedure to set up mid level security svn server and
high level security svn server? Sorry if i am asking too much :)
A.
On Wed, Sep 23, 2009 at 9:46 AM, Andrey Repin <an...@freemail.ru> wrote:
> Greetings, baz themail!
>
> > what is the best/recommended way to set up secure svn server for people
> > outside the firewall to access it?
>
> Depends what the level of security you want.
> No simple answer.
>
>
> --
> WBR,
> Andrey Repin (anrdaemon@freemail.ru) 23.09.2009, <20:46>
>
> Sorry for my terrible english...
>
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2399004
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Alec Kloss <al...@oracle.com>.
On 2009-09-23 17:42, Nico Kadel-Garcia wrote:
> On Wed, Sep 23, 2009 at 1:49 PM, baz themail <ba...@gmail.com> wrote:
> > Thanks for your reply.
> >
> > Anyone can give me a procedure to set up mid level security svn server and
> > high level security svn server? Sorry if i am asking too much :)
> >
> > A.
> >
> > On Wed, Sep 23, 2009 at 9:46 AM, Andrey Repin <an...@freemail.ru> wrote:
> >>
> >> Greetings, baz themail!
> >>
> >> > what is the best/recommended way to set up secure svn server for people
> >> > outside the firewall to access it?
> >>
> >> Depends what the level of security you want.
> >> No simple answer.
>
> Well, start by considering how Sourceforge does it. Individual
> repositories with different projects, different people have different
> access to it, and the only permitted write access is via svn+ssh in
> order to avoid the 'store passwords in cleartext' that has been
> inherent in Subversion's services since day one. You'll need to manage
> the SSH keys for individual repositories, for which I've never found a
> good tool, but it's a start
>
Using the GSSAPI support built into SASL and mod_auth_kerb in
Apache (over HTTPS) allows you to have secure subversion access
using a common user base, centralized key management, and
single sign-on all in one fell swoop. As an added bonus you can
run subversion on a "sealed" server where there are no end
user accounts. The downside is it's difficult to set up and some
(many) binary distributions of Subversion don't include GSSAPI or
Negotiate authentication support.
--
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Wed, Sep 23, 2009 at 1:49 PM, baz themail <ba...@gmail.com> wrote:
> Thanks for your reply.
>
> Anyone can give me a procedure to set up mid level security svn server and
> high level security svn server? Sorry if i am asking too much :)
>
> A.
>
> On Wed, Sep 23, 2009 at 9:46 AM, Andrey Repin <an...@freemail.ru> wrote:
>>
>> Greetings, baz themail!
>>
>> > what is the best/recommended way to set up secure svn server for people
>> > outside the firewall to access it?
>>
>> Depends what the level of security you want.
>> No simple answer.
Well, start by considering how Sourceforge does it. Individual
repositories with different projects, different people have different
access to it, and the only permitted write access is via svn+ssh in
order to avoid the 'store passwords in cleartext' that has been
inherent in Subversion's services since day one. You'll need to manage
the SSH keys for individual repositories, for which I've never found a
good tool, but it's a start
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2399087
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, baz themail!
>> > Anyone can give me a procedure to set up mid level security svn server
>> and
>> > high level security svn server? Sorry if i am asking too much :)
>>
>> Define "mid-level". Better asked, explain your needs and we'll see if we
>> can
>> help you.
> For example, I would like to setup a https svn site just like
> http://unfuddle.com/ or http://svnrepository.com/. I tried them, but i dont
> see how https works in terms of security.
HTTPS creates a protected communication channel between your client
application and repository server.
>> And, please, don't top-post.
Yet again, don't top-post.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 13.11.2009, <12:40>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417475
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Nov 12, 2009, at 17:25, baz themail wrote:
> On Thu, Sep 24, 2009 at 3:28 AM, Andrey Repin wrote:
>
>> > Anyone can give me a procedure to set up mid level security svn
>> server and
>> > high level security svn server? Sorry if i am asking too much :)
>>
>> Define "mid-level". Better asked, explain your needs and we'll see
>> if we can
>> help you.
>
> For example, I would like to setup a https svn site just like http://unfuddle.com/
> or http://svnrepository.com/. I tried them, but i dont see how
> https works in terms of security.
I'm not familiar with those services, but if you want to set up https,
or understand how it works, then you should consult the Apache
documentation.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417313
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, Thomas Harold!
>> For example, I would like to setup a https svn site just like
>> http://unfuddle.com/ or http://svnrepository.com/. I tried them, but i
>> dont see how https works in terms of security.
> If the SVN server is a Linux/Unix server, I'm partial to svn+ssh.
> Advantages:
> - No storage of passwords in the working copy (or doesn't http/https
> suffer from this problem?).
Irrelevant. Any reference to working copy in discussion about server just
irrelevant.
> - Uses public SSH key pairs. Less/No worries about stolen or sniffed
> passwords, you just have to worry about stolen private keys.
Irrelevant. Apache could be configures in many ways, including authorization
through client-server certificates.
> - SSH keys can be loaded into an SSH agent on the client to avoid
> additional password prompts.
See above. Irrelevant.
> - SSH keys can be locked down on the server side so that they're only
> useful for interacting with the svnserve program. That makes it a good
> bit more difficult for the attacker, even if they have the private SSH key.
That is the very idea of using client-server certificates, but in majority of
situations it is unnecessary bloating and does nothing but give admin
headache.
> I tend to find https (SSL) to be arcane and confusing to setup.
Four strings in Apache configuration is confusing? >.< I mean, four strings in
addition to the four that setting up SVN DAV itself.
> I've setup https before, but my comfort level with svn+ssh is a lot higher.
> And I'm not comfortable configuring Apache yet.
> But that's just a personal bias against https.
That's only your issue. As you said, it's highly personal.
If you have ssh infrastructure already, it probably easier for you to adapt it
for svn, but major disadvantage of this scheme is that repository being
accesses with many user credentials, repository hooks could be running with
credentials different from the user, and smallest mistake in setting user
rights and umasks could lead to repository destabilization.
Also repository filesystem is open for (un)intentional destruction using
svnadmin (server-only tool to manipulate repository on a ground level).
svnserve and dav free from this issue, the repository always accessed through
the single user credentials - the ones server running from, and directory
storage inacessible in any direct way.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 13.11.2009, <12:41>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417481
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Thomas Harold <th...@nybeta.com>.
On 11/12/2009 6:25 PM, baz themail wrote:
> For example, I would like to setup a https svn site just like
> http://unfuddle.com/ or http://svnrepository.com/. I tried them, but i
> dont see how https works in terms of security.
If the SVN server is a Linux/Unix server, I'm partial to svn+ssh.
Advantages:
- No storage of passwords in the working copy (or doesn't http/https
suffer from this problem?).
- Uses public SSH key pairs. Less/No worries about stolen or sniffed
passwords, you just have to worry about stolen private keys.
- SSH keys can be loaded into an SSH agent on the client to avoid
additional password prompts.
- SSH keys can be locked down on the server side so that they're only
useful for interacting with the svnserve program. That makes it a good
bit more difficult for the attacker, even if they have the private SSH key.
I tend to find https (SSL) to be arcane and confusing to setup. I've
setup https before, but my comfort level with svn+ssh is a lot higher.
And I'm not comfortable configuring Apache yet. But that's just a
personal bias against https.
(We primarily use PuTTY on Windows along with command line SVN and
TortoiseSVN. We put the ssh server on a non-standard port to reduce the
quantity of dictionary attacks. Our SVN server is Linux based.)
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417407
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by baz themail <ba...@gmail.com>.
For example, I would like to setup a https svn site just like
http://unfuddle.com/ or http://svnrepository.com/. I tried them, but i dont
see how https works in terms of security.
On Thu, Sep 24, 2009 at 3:28 AM, Andrey Repin <an...@freemail.ru> wrote:
> Greetings, baz themail!
>
> > Anyone can give me a procedure to set up mid level security svn server
> and
> > high level security svn server? Sorry if i am asking too much :)
>
> Define "mid-level". Better asked, explain your needs and we'll see if we
> can
> help you.
>
> And, please, don't top-post.
>
>
> --
> WBR,
> Andrey Repin (anrdaemon@freemail.ru) 24.09.2009, <15:27>
>
> Sorry for my terrible english...
>
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2417311
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: what is the best way to set up secure svn server for people
outside the firewall to access it?
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, baz themail!
> Anyone can give me a procedure to set up mid level security svn server and
> high level security svn server? Sorry if i am asking too much :)
Define "mid-level". Better asked, explain your needs and we'll see if we can
help you.
And, please, don't top-post.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 24.09.2009, <15:27>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2399247
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].