You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Pieter <pi...@hotmail.com> on 2006/11/30 08:35:15 UTC
using Subversion over the internet (with Windows?): Howto?
Hi,
We're using Subversion for 1 year now (with TortoiseSVN on the clients) on 3
different locations: 1 in Europe and 2 in Africa. Because of the poor
internet connections in Africa we coudln't centralise the repository's, so
we have a repository in each of the 3 locations. I choose to have all the
projects in 1 repository, because it seemd much easier instead of creating a
new repository for each project.
Internet-connectiosn are getting bettet, and I woudl like to start testing
on putting all the projects in Europe, and have an access to Subversion via
internet for my african development teams. I informed me alreaddy a lot
about this kind of configuration of subversion, but i'm kind of lost... :-(
The fact is: I would like to install the less possible, but need a good
security. Some more specific questions:
- What are the exact possiblity's for doing this? Only with Linux + Apache?
Or are there others too? what's that svn + ssh stuff?
- I would prefer to have everything on a Windows 2003 server. Is this
possible?
- I would like to have a tight security:
* I need to be able to define which user can commit to which project.
* Some projects should be absolutely hidden: the existence of it should
be unknown for some programmers.
* For each project, I want specific commit-hooks: only the developers
considered shoudl be warned with an email.
* Is all this possible when they are in the same repository?
* And ofcourse: people outside of the company shouldn't have any access
at all :-)
- Is there somewhere a step by step instalaltion guide for all this?
I knwo these are a bucnh of questions, but I admit that I just don't knwo
anymore where to start :-( Any help would be really appreciated!
Thansk a lot in advance,
Pieter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Duncan Murdoch <mu...@stats.uwo.ca>.
On 12/1/2006 12:33 AM, Thomas Harold wrote:
> Pieter wrote:
>> The fact is: I would like to install the less possible, but need a good
>> security. Some more specific questions:
>>
>> - What are the exact possiblity's for doing this? Only with Linux + Apache?
>> Or are there others too? what's that svn + ssh stuff?
>
> The advantage of svn+ssh is that:
>
> - You can choose to use public key files to authenticate with the
> server. Which means the only place that the passphrase (for the private
> key) is needed is on the client. The server only sees the public key
> (added to the user's authorized_keys folder). Using key pairs for SSH
> access to servers prevents you from being vulnerable to dictionary
> attacks on your SSH port (kind of difficult to brute force a 1024 or
> 2048 bit key).
>
> - You can limit what a particular key pair can do by prefixing the line
> in authorized_keys with: command="svnserve -t" -- So even if someone
> swipes the private key along with the passphrase used to protect the
> private key file, they can still only perform SVN operations on your
> repository. That key pair doesn't grant them command-line access on
> your repository server.
>
> - SSH is easily tunneled over NAT/firewalls. It's strong encryption and
> well regarded.
>
> Apache and HTTPS are also a good solution, but not something that I've
> configured yet. Apache very flexible (you could tie into other
> authentication schemes like AD or LDAP).
>
>> - I would prefer to have everything on a Windows 2003 server. Is this
>> possible?
>
> Maybe... you'll either be using Apache+HTTPS or copSSH (which I haven't
> used). We preferred to run SVN on top of Linux where we could take
> advantage of Linux stability, OpenSSH's strengths, and running the SVN
> server inside a Xen DomU (virtualization).
Cygwin does include openSSH, so that might be another possibility. (I
use it regularly for my svn client, but I don't run a server on Linux.
However, I did just run a quick test, and it worked.)
Duncan Murdoch
>
>> - I would like to have a tight security:
>> * I need to be able to define which user can commit to which project.
>> * Some projects should be absolutely hidden: the existence of it should
>> be unknown for some programmers.
>
> I suspect you'll only get this feature if you have separate repositories
> for those projects.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Thomas Harold <tg...@tgharold.com>.
Pieter wrote:
> Thanks guys for the help!
>
> One more question: Is there a difference in performance between Apache+Https
> or copSSH? Because we still do have small bandwith, every Kbs counts... :-/
Network-wise, SVN is a pretty tight protocol. AFAIK, it compresses data
by default and only transmits differences. So I don't think there will
be a big difference other then setting up / tearing down SSH tunnels all
the time.
(I don't remember if SSH or HTTPS compress data inside the transport
tunnel as well or not.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Eric Lemes <er...@gmail.com>.
Other solution, that I think I'll evaluate is Apache tunneled in SSH.
So, I have the public key authentication AND the Active Directory
Authentication.
Eric
On 12/1/06, Nikki Locke <in...@trumphurst.com> wrote:
>
> Méresse Christophe wrote:
> > > -----Original Message-----
> > > From: news
> > [mailto:news@sea.gmane.org]On Behalf Of Pieter
> >
> > > One more question: Is there a difference in performance
> > > between
> > Apache+Https
> > > or copSSH? Because we still do have small bandwith,
> > every Kbs
> > > counts... :-/
> >
> > On a simple subversion command, there
> > is no significative difference.
> > But when many commands have to be done
> > consecutively (that's often the case with GUIs) the SSH tunnel
> > is
> > created for each command and this can dramatically decrease the
> > performances.
> > My personal advice is to use https (moreover it opens
> > some interresting web possibilities and it's
> > easier to configure for the users)
>
> Or, alternatively, set up a ssh tunnel for port 3690 between a local
> machine and the svn server, and use svn: urls to the machine with the
> tunnel.
>
> --
> Nikki Locke, Trumphurst Ltd. PC & Unix consultancy & programming
> http://www.trumphurst.com/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Nikki Locke <in...@trumphurst.com>.
Méresse Christophe wrote:
> > -----Original Message-----
> > From: news
> [mailto:news@sea.gmane.org]On Behalf Of Pieter
>
> > One more question: Is there a difference in performance
> > between
> Apache+Https
> > or copSSH? Because we still do have small bandwith,
> every Kbs
> > counts... :-/
>
> On a simple subversion command, there
> is no significative difference.
> But when many commands have to be done
> consecutively (that's often the case with GUIs) the SSH tunnel
> is
> created for each command and this can dramatically decrease the
> performances.
> My personal advice is to use https (moreover it opens
> some interresting web possibilities and it's
> easier to configure for the users)
Or, alternatively, set up a ssh tunnel for port 3690 between a local
machine and the svn server, and use svn: urls to the machine with the
tunnel.
--
Nikki Locke, Trumphurst Ltd. PC & Unix consultancy & programming
http://www.trumphurst.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Re: using Subversion over the internet (with Windows?): Howto?
Posted by Méresse Christophe <ch...@nagra.com>.
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Pieter
> Sent: vendredi, 1. décembre 2006 09:52
> To: users@subversion.tigris.org
> Subject: Re: using Subversion over the internet (with
> Windows?): Howto?
[snip]
> One more question: Is there a difference in performance
> between Apache+Https
> or copSSH? Because we still do have small bandwith, every Kbs
> counts... :-/
On a simple subversion command, there is no significative difference.
But when many commands have to be done consecutively (that's often the case with GUIs) the SSH tunnel is created for each command and this can dramatically decrease the performances.
My personal advice is to use https (moreover it opens some interresting web possibilities and it's easier to configure for the users)
Christophe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Pieter <pi...@hotmail.com>.
Thanks guys for the help!
One more question: Is there a difference in performance between Apache+Https
or copSSH? Because we still do have small bandwith, every Kbs counts... :-/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Thomas Harold <tg...@tgharold.com>.
Pieter wrote:
> The fact is: I would like to install the less possible, but need a good
> security. Some more specific questions:
>
> - What are the exact possiblity's for doing this? Only with Linux + Apache?
> Or are there others too? what's that svn + ssh stuff?
The advantage of svn+ssh is that:
- You can choose to use public key files to authenticate with the
server. Which means the only place that the passphrase (for the private
key) is needed is on the client. The server only sees the public key
(added to the user's authorized_keys folder). Using key pairs for SSH
access to servers prevents you from being vulnerable to dictionary
attacks on your SSH port (kind of difficult to brute force a 1024 or
2048 bit key).
- You can limit what a particular key pair can do by prefixing the line
in authorized_keys with: command="svnserve -t" -- So even if someone
swipes the private key along with the passphrase used to protect the
private key file, they can still only perform SVN operations on your
repository. That key pair doesn't grant them command-line access on
your repository server.
- SSH is easily tunneled over NAT/firewalls. It's strong encryption and
well regarded.
Apache and HTTPS are also a good solution, but not something that I've
configured yet. Apache very flexible (you could tie into other
authentication schemes like AD or LDAP).
> - I would prefer to have everything on a Windows 2003 server. Is this
> possible?
Maybe... you'll either be using Apache+HTTPS or copSSH (which I haven't
used). We preferred to run SVN on top of Linux where we could take
advantage of Linux stability, OpenSSH's strengths, and running the SVN
server inside a Xen DomU (virtualization).
> - I would like to have a tight security:
> * I need to be able to define which user can commit to which project.
> * Some projects should be absolutely hidden: the existence of it should
> be unknown for some programmers.
I suspect you'll only get this feature if you have separate repositories
for those projects.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: using Subversion over the internet (with Windows?): Howto?
Posted by Robert Graf-Waczenski <rg...@lsoft.com>.
I'm currently running copSSH, available here: http://www.itefix.no/phpws/
There are other windows ports of OpenSSH, but last time i checked those were
not quite up to date and did not come with recent security fixes of OpenSSH
whereas copSSH appears to be maintained quite actively.
Robert
-----Original Message-----
From: Eric Lemes [mailto:ericlemes@gmail.com]
Sent: Donnerstag, 30. November 2006 14:12
To: Pieter; users@subversion.tigris.org
Subject: Re: using Subversion over the internet (with Windows?): Howto?
Hello Pieter,
I think svn over https or tunneled through ssh may be good options for
you.
I don't know if there's some good and secure windows SSH server. If
someone has a suggestion, please tell me.
Eric
On 11/30/06, Pieter <pi...@hotmail.com> wrote:
Hi,
We're using Subversion for 1 year now (with TortoiseSVN on the clients)
on 3
different locations: 1 in Europe and 2 in Africa. Because of the poor
internet connections in Africa we coudln't centralise the repository's,
so
we have a repository in each of the 3 locations. I choose to have all
the
projects in 1 repository, because it seemd much easier instead of
creating a
new repository for each project.
Internet-connectiosn are getting bettet, and I woudl like to start
testing
on putting all the projects in Europe, and have an access to Subversion
via
internet for my african development teams. I informed me alreaddy a lot
about this kind of configuration of subversion, but i'm kind of lost...
:-(
The fact is: I would like to install the less possible, but need a good
security. Some more specific questions:
- What are the exact possiblity's for doing this? Only with Linux +
Apache?
Or are there others too? what's that svn + ssh stuff?
- I would prefer to have everything on a Windows 2003 server. Is this
possible?
- I would like to have a tight security:
* I need to be able to define which user can commit to which project.
* Some projects should be absolutely hidden: the existence of it
should
be unknown for some programmers.
* For each project, I want specific commit-hooks: only the developers
considered shoudl be warned with an email.
* Is all this possible when they are in the same repository?
* And ofcourse: people outside of the company shouldn't have any
access
at all :-)
- Is there somewhere a step by step instalaltion guide for all this?
I knwo these are a bucnh of questions, but I admit that I just don't
knwo
anymore where to start :-( Any help would be really appreciated!
Thansk a lot in advance,
Pieter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: using Subversion over the internet (with Windows?): Howto?
Posted by Eric Lemes <er...@gmail.com>.
Hello Pieter,
I think svn over https or tunneled through ssh may be good options for you.
I don't know if there's some good and secure windows SSH server. If someone
has a suggestion, please tell me.
Eric
On 11/30/06, Pieter <pi...@hotmail.com> wrote:
>
> Hi,
>
> We're using Subversion for 1 year now (with TortoiseSVN on the clients) on
> 3
> different locations: 1 in Europe and 2 in Africa. Because of the poor
> internet connections in Africa we coudln't centralise the repository's, so
> we have a repository in each of the 3 locations. I choose to have all the
> projects in 1 repository, because it seemd much easier instead of creating
> a
> new repository for each project.
>
> Internet-connectiosn are getting bettet, and I woudl like to start testing
> on putting all the projects in Europe, and have an access to Subversion
> via
> internet for my african development teams. I informed me alreaddy a lot
> about this kind of configuration of subversion, but i'm kind of lost...
> :-(
>
> The fact is: I would like to install the less possible, but need a good
> security. Some more specific questions:
>
> - What are the exact possiblity's for doing this? Only with Linux +
> Apache?
> Or are there others too? what's that svn + ssh stuff?
>
> - I would prefer to have everything on a Windows 2003 server. Is this
> possible?
>
> - I would like to have a tight security:
> * I need to be able to define which user can commit to which project.
> * Some projects should be absolutely hidden: the existence of it should
> be unknown for some programmers.
> * For each project, I want specific commit-hooks: only the developers
> considered shoudl be warned with an email.
> * Is all this possible when they are in the same repository?
> * And ofcourse: people outside of the company shouldn't have any access
> at all :-)
>
> - Is there somewhere a step by step instalaltion guide for all this?
>
> I knwo these are a bucnh of questions, but I admit that I just don't knwo
> anymore where to start :-( Any help would be really appreciated!
>
> Thansk a lot in advance,
>
> Pieter
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>