(Again on) Apache Authentication

[Giulio Troccoli <Gi...@uk.linedata.com>]

Hello everybody,

To cut to the gist I am looking for a way for my SVN users to be able to
change their own SVN passwords.

Some background information first.

Subversion 1.4.4 is installed on a Linux 2.6 kernel box. My developers
work on Windows, AIX or Solaris using http. The Subversion server is not
visible outside of our network (so simple http is fine). I have several
repositories and for each of them I have set up a htpasswd-style file
because I have to keep control of which user has access to which
repository. As part of our development process they all have an account
on the Subversion server too.

Everything works fine, they can checkout, commit, do everything they
need to. But their SVN password is always the same (it's actually the
same password for everybody as, honestly, I couldn't be bothered to give
them different passwords).

I would like either for them to use their account password with
Subversion (they know already how to use passwd) or a nice friendly way
for them to change the Subversion passwords.

I have search through the archive and I did find lots of articles that
suggest basically two ways: using PAM and using a CGI script. This seems
exactly what I am looking for. Correct me if I'm wrong but I don't think
I can use LDAP or AD because I don't use Windows exclusively.

I don't know Apache that well, just the basic to get it running and to
configure Subversion, so I'm not very confident I could set up PAM
correctly. Also, I don't think I could have the option to select which
user has access to which repository (I can always change the pre-commit
hook I know, but that would prevent unauthorized commit only, not
checkouts).

The CGI script seems a very good idea, especially because I have already
set up ViewVC and I remember it was easy-peasy. However, the links I
found seem to be not available anymore (the email are about 3 years
old).

As you can see I am a bit stuck. I know this is not strictly a
Subversion issue, but I know that many others had the same problem and I
am sure they have sorted it out somehow. So what I'm really looking for
is some guidance and expertise.

Thanks in advance
Giulio Troccoli
 
 
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851     VAT Reg No 778499447

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: (Again on) Apache Authentication

[Les Mikesell <le...@gmail.com>]

Giulio Troccoli wrote:
> 
> I would like either for them to use their account password with
> Subversion (they know already how to use passwd) or a nice friendly way
> for them to change the Subversion passwords.
> 
> I have search through the archive and I did find lots of articles that
> suggest basically two ways: using PAM and using a CGI script. This seems
> exactly what I am looking for. Correct me if I'm wrong but I don't think
> I can use LDAP or AD because I don't use Windows exclusively.
> 
> I don't know Apache that well, just the basic to get it running and to
> configure Subversion, so I'm not very confident I could set up PAM
> correctly. Also, I don't think I could have the option to select which
> user has access to which repository (I can always change the pre-commit
> hook I know, but that would prevent unauthorized commit only, not
> checkouts).

PAM should work with ssh+svn with any combination of PAM modules that 
work for ssh/system logins.  For apache, mod_auth_pam does not seem to 
be supported but it still works, at least with Centos 5.x if you have 
the httpd-devel package and build the module yourself from source (a 
simple 'make install'. I'm using it for several web services to 
authenticate against both the local host's passwd file and a windows 
domain via SMB.  I require a local login to be created for other 
services like ssh although the windows password can still be used.  For 
strictly http access, no account info is needed, so an entry like this:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_permit.so
in /etc/pam.d/httpd will just check for a login/password match and 
anyone in the windows domain can log in.

> The CGI script seems a very good idea, especially because I have already
> set up ViewVC and I remember it was easy-peasy. However, the links I
> found seem to be not available anymore (the email are about 3 years
> old).
> 
> As you can see I am a bit stuck. I know this is not strictly a
> Subversion issue, but I know that many others had the same problem and I
> am sure they have sorted it out somehow.

It is a subversion issue when everything except svnserve on the popular 
unix-like OS's uses PAM for authentication.

> So what I'm really looking for
> is some guidance and expertise.

It seems slighly risky to use mod_auth_pam since it isn't included in 
the distros, but it works and permits the same set of authentication 
methods to be checked as your other system programs use without having 
to duplicate all the setup.

-- 
   Les Mikesell
    lesmikesell@gmail.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Re: (Again on) Apache Authentication

[Giulio Troccoli <Gi...@uk.linedata.com>]

Richard

 

Thanks for your input. However, I didn't suggest I would like to use
LDAP. I actually thought it was only for Windows (but I was wrong).

 

My problem with LDAP is that it feels a bit too much for what I want.
I'd like a very simple to install solution, that's why I still think a
CGI script would be the best solution. I do want to keep my htpasswd
setup if I can, and I did find one called user_manage or maybe
manage_user. It was bit old and although the help page is still there
the zip file is not.

 

Giulio

 

________________________________

From: richard hornsby [mailto:richardjhornsby@gmail.com] 
Sent: 19 March 2008 15:10
To: users@subversion.tigris.org
Subject: Re: (Again on) Apache Authentication

 

==Argh, sorry, didn't pay attention to gmail's reply-to-all==


This may be something specific that would be helpful to you, since you
seem to indicate that if possible you'd like to use LDAP/AD:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

You can use LDAP/AD if you wish - because the communication happens
between the SVN server and the LDAP/AD server.  Limiting the discussion
for the moment to http basic auth, the svn client isn't really relevant
- the credentials are handed from the svn client to the svn server
(apache in this case) which then goes and talks to whatever auth method
you choose.  The client has no idea and doesn't care how you implement
your authentication once it is handed off via basic auth.

[ svn client ]  ===> [ http basic auth ] ===> [ apache ] ===> [ auth
method (ldap,mysql,pam,linux,windows,solaris,etc) ]

The svn client, apache, and authentication servers could be three
different machines running on three different platforms. :)

I'm using mod_authnz_external (http://unixpapa.com/mod_authnz_external/)
to call a perl script which tries to log into our IMAP server.
Incidentally, if that fails, it checks a mySQL database (for trac/svn
accounts which might not be internal users.)  Simply, on authentication
failure, the script has a non-zero exit code.

If you're not using LDAP/AD and don't want to use mod_authnz_external
(admittedly I'm using it to implement a bit of a hack), someone a couple
of days ago suggested mod_auth_mysql.  You could let them change their
passwords by setting up a simple php/asp script to ask for username,
existing password, and new password.

The beauty of all of these solutions is that they are basically
transparent to your svn users.

Alternatively, and this could be dangerous so I'm not sure I'd recommend
it in general, but if you decide you want to keep your htpasswd setup,
you could write a php/cgi script that calls the htpasswd command.  You
could even put it behind a .htaccess file that uses the passwd file to
authenticate - then all you really need to ask for in the form is the
new password, because the username is already stored in HTTP_AUTH_USER
(iirc, been a while) --- maybe?



HTH,
-rj

 

On Wed, Mar 19, 2008 at 8:45 AM, Giulio Troccoli
<Gi...@uk.linedata.com> wrote:

Hello everybody,

To cut to the gist I am looking for a way for my SVN users to be able to
change their own SVN passwords.

Some background information first.

Subversion 1.4.4 is installed on a Linux 2.6 kernel box. My developers
work on Windows, AIX or Solaris using http. The Subversion server is not
visible outside of our network (so simple http is fine). I have several
repositories and for each of them I have set up a htpasswd-style file
because I have to keep control of which user has access to which
repository. As part of our development process they all have an account
on the Subversion server too.

Everything works fine, they can checkout, commit, do everything they
need to. But their SVN password is always the same (it's actually the
same password for everybody as, honestly, I couldn't be bothered to give
them different passwords).

I would like either for them to use their account password with
Subversion (they know already how to use passwd) or a nice friendly way
for them to change the Subversion passwords.

I have search through the archive and I did find lots of articles that
suggest basically two ways: using PAM and using a CGI script. This seems
exactly what I am looking for. Correct me if I'm wrong but I don't think
I can use LDAP or AD because I don't use Windows exclusively.

I don't know Apache that well, just the basic to get it running and to
configure Subversion, so I'm not very confident I could set up PAM
correctly. Also, I don't think I could have the option to select which
user has access to which repository (I can always change the pre-commit
hook I know, but that would prevent unauthorized commit only, not
checkouts).

The CGI script seems a very good idea, especially because I have already
set up ViewVC and I remember it was easy-peasy. However, the links I
found seem to be not available anymore (the email are about 3 years
old).

As you can see I am a bit stuck. I know this is not strictly a
Subversion issue, but I know that many others had the same problem and I
am sure they have sorted it out somehow. So what I'm really looking for
is some guidance and expertise.

Thanks in advance
Giulio Troccoli


Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1
6DB
Registered in England and Wales No 3027851     VAT Reg No 778499447

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

 

 

Re: (Again on) Apache Authentication

[richard hornsby <ri...@gmail.com>]

==Argh, sorry, didn't pay attention to gmail's reply-to-all==


This may be something specific that would be helpful to you, since you seem
to indicate that if possible you'd like to use LDAP/AD:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

You can use LDAP/AD if you wish - because the communication happens between
the SVN server and the LDAP/AD server.  Limiting the discussion for the
moment to http basic auth, the svn client isn't really relevant - the
credentials are handed from the svn client to the svn server (apache in this
case) which then goes and talks to whatever auth method you choose.  The
client has no idea and doesn't care how you implement your authentication
once it is handed off via basic auth.

[ svn client ]  ===> [ http basic auth ] ===> [ apache ] ===> [ auth method
(ldap,mysql,pam,linux,windows,solaris,etc) ]

The svn client, apache, and authentication servers could be three different
machines running on three different platforms. :)

I'm using mod_authnz_external (http://unixpapa.com/mod_authnz_external/) to
call a perl script which tries to log into our IMAP server.  Incidentally,
if that fails, it checks a mySQL database (for trac/svn accounts which might
not be internal users.)  Simply, on authentication failure, the script has a
non-zero exit code.

If you're not using LDAP/AD and don't want to use mod_authnz_external
(admittedly I'm using it to implement a bit of a hack), someone a couple of
days ago suggested mod_auth_mysql.  You could let them change their
passwords by setting up a simple php/asp script to ask for username,
existing password, and new password.

The beauty of all of these solutions is that they are basically transparent
to your svn users.

Alternatively, and this could be dangerous so I'm not sure I'd recommend it
in general, but if you decide you want to keep your htpasswd setup, you
could write a php/cgi script that calls the htpasswd command.  You could
even put it behind a .htaccess file that uses the passwd file to
authenticate - then all you really need to ask for in the form is the new
password, because the username is already stored in HTTP_AUTH_USER (iirc,
been a while) --- maybe?



HTH,
-rj

On Wed, Mar 19, 2008 at 8:45 AM, Giulio Troccoli <
Giulio.Troccoli@uk.linedata.com> wrote:

> Hello everybody,
>
> To cut to the gist I am looking for a way for my SVN users to be able to
> change their own SVN passwords.
>
> Some background information first.
>
> Subversion 1.4.4 is installed on a Linux 2.6 kernel box. My developers
> work on Windows, AIX or Solaris using http. The Subversion server is not
> visible outside of our network (so simple http is fine). I have several
> repositories and for each of them I have set up a htpasswd-style file
> because I have to keep control of which user has access to which
> repository. As part of our development process they all have an account
> on the Subversion server too.
>
> Everything works fine, they can checkout, commit, do everything they
> need to. But their SVN password is always the same (it's actually the
> same password for everybody as, honestly, I couldn't be bothered to give
> them different passwords).
>
> I would like either for them to use their account password with
> Subversion (they know already how to use passwd) or a nice friendly way
> for them to change the Subversion passwords.
>
> I have search through the archive and I did find lots of articles that
> suggest basically two ways: using PAM and using a CGI script. This seems
> exactly what I am looking for. Correct me if I'm wrong but I don't think
> I can use LDAP or AD because I don't use Windows exclusively.
>
> I don't know Apache that well, just the basic to get it running and to
> configure Subversion, so I'm not very confident I could set up PAM
> correctly. Also, I don't think I could have the option to select which
> user has access to which repository (I can always change the pre-commit
> hook I know, but that would prevent unauthorized commit only, not
> checkouts).
>
> The CGI script seems a very good idea, especially because I have already
> set up ViewVC and I remember it was easy-peasy. However, the links I
> found seem to be not available anymore (the email are about 3 years
> old).
>
> As you can see I am a bit stuck. I know this is not strictly a
> Subversion issue, but I know that many others had the same problem and I
> am sure they have sorted it out somehow. So what I'm really looking for
> is some guidance and expertise.
>
> Thanks in advance
> Giulio Troccoli
>
>
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
> Registered in England and Wales No 3027851     VAT Reg No 778499447
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>