You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Honza Maly <ho...@einnews.com> on 2019/12/17 20:04:54 UTC
Support for ssh agent for storing password encrypted
Hello,
I don't see it in issue tracker: do you have any plans on adding support
for ssh agent as way to store password encrypted, possibly based on what
Jack Whitham prepared?
https://www.jwhitham.org/2017/03/svn-password-store-using-ssh-agent.html
https://github.com/jwhitham/safeu
I'm in exactly same situation as he is (using multiple linux servers over
ssh connection) and I'm currently thinking about compiling subversion with
his patch myself, however I though I will ask if it won't arrive in
official distribution soon ... or, if you already looked at it and found
some problem with it.
(I'm currently relying on the directory attribute for protection but would
prefer real encryption.)
Honza
Re: Support for ssh agent for storing password encrypted
Posted by Honza Maly <ho...@einnews.com>.
Hello,
thanks for answers.
On Wed, 18 Dec 2019, Daniel Shahaf wrote:
> Honza Maly wrote on Tue, 17 Dec 2019 20:04 +00:00:
>> I don't see it in issue tracker: do you have any plans on adding support
>> for ssh agent as way to store password encrypted, possibly based on what
>> Jack Whitham prepared?
>>
>> https://www.jwhitham.org/2017/03/svn-password-store-using-ssh-agent.html
>> https://github.com/jwhitham/safeu
>>
>> I'm in exactly same situation as he is (using multiple linux servers over
>> ssh connection) and I'm currently thinking about compiling subversion with
>> his patch myself, however I though I will ask if it won't arrive in
>> official distribution soon ... or, if you already looked at it and found
>> some problem with it.
>
> The code was not proposed to us for inclusion.
>
... ok. I'll try to ask him about it.
> If it's proposed, my first question would be what value it adds on top
> of the existing gpg-agent backend. (There's also a box to check about
> licensing, but that'll probably work out.)
>
Configuring gpg-agent to be forwarded by ssh is not exactly
straightforward, it requires setting up additional key (on top of ssh key
most people in this situation already have) and distributing the public
part of it.
I also suspect that ssh is available on more architectures than gpg,
although it's true that I'm using amd64 linux so I wouldn't be affected by
problems with that.
> Cheers,
>
> Daniel
>
> P.S. The linked post is wrong when it equates svn+ssh:// access with
> shell access. It's perfectly possible to use SSH for authentication
> without giving developers out-of-band (svnadmin-level) access to the
> repository. There are various ways to implement this; the simplest
> is to use authorized_keys(5) forced commands.
>
It's still somethink the admins of the svn would need to be convinced
about (or worse, managers who created IT policy of company) ... and last
time I read something about forced commands it was full of warnings about
how it may be dangerous as lot of innocent commands have shell-equivalent
parameters. Subversion itself may be safe but it would be hard to prove.
Best regards,
Honza
Re: Support for ssh agent for storing password encrypted
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Honza Maly wrote on Tue, 17 Dec 2019 20:04 +00:00:
> I don't see it in issue tracker: do you have any plans on adding support
> for ssh agent as way to store password encrypted, possibly based on what
> Jack Whitham prepared?
>
> https://www.jwhitham.org/2017/03/svn-password-store-using-ssh-agent.html
> https://github.com/jwhitham/safeu
>
> I'm in exactly same situation as he is (using multiple linux servers over
> ssh connection) and I'm currently thinking about compiling subversion with
> his patch myself, however I though I will ask if it won't arrive in
> official distribution soon ... or, if you already looked at it and found
> some problem with it.
The code was not proposed to us for inclusion.
If it's proposed, my first question would be what value it adds on top
of the existing gpg-agent backend. (There's also a box to check about
licensing, but that'll probably work out.)
Cheers,
Daniel
P.S. The linked post is wrong when it equates svn+ssh:// access with
shell access. It's perfectly possible to use SSH for authentication
without giving developers out-of-band (svnadmin-level) access to the
repository. There are various ways to implement this; the simplest
is to use authorized_keys(5) forced commands.
> (I'm currently relying on the directory attribute for protection but would
> prefer real encryption.)