You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Sander Striker <st...@apache.org> on 2001/09/03 21:17:31 UTC

Authentication

Hi,

I've split the issue of authentication and authorization
in two mails, since they are quite different.

I have been thinking about this for some time and have read
the design doc, although outdated yet again.  One thing
that is in there and still makes sense in leaving the
authentication to the network layer.

ra_local:
Here we can depend on what the system tells us.  The user
is _always_ authenticated (or there must be some weird
admin that decided to let 20 people share 1 account, but
that is not our problem).

[auth methods]
 - user has an account on the machine and is therefor
   authenticated.

ra_dav:
We can fully depend on apache to do the authentication for
us.  There is a variety of choices.  It would be nice to
use a client certificate at the svn client side for
authentication when running mod_ssl, but that would be the
only thing missing so it seems in svn.

[auth methods]
 - anonymous   (http and https)
 - user/passwd (http and https)
 - client cert (https)

So, we can pretty much tell who someone is.  There doesn't
seem to be much to do left in this area of subversion, which
is good news IMHO,


Sander


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Authentication

Posted by Ben Collins-Sussman <su...@collab.net>.

Daniel Rall <dl...@finemaltcoding.com> writes:

> "Sander Striker" <st...@apache.org> writes:
> 
> > [auth methods]
> >  - anonymous   (http and https)
> >  - user/passwd (http and https)
> >  - client cert (https)
> 
> Sometimes multiple layers of authentication are desired (i.e. both
> user/password and certs).

Then, in the fine tradition of PAM-like authentication architectures,
we would simply need to write a new "authenticator" object that is the
composition of two other methods.  In other words, after supplying
user/password info, instead of receiving back a repository session
object -- the client instead receives a new cert-authenticator
object that needs to be driven as the "second phase" of
authentication.  When it finishes driving *that*, it gets a repository
session object.

Very doable.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Authentication

Posted by Mark Welch <ma...@collab.net>.

Daniel Rall wrote:

>"Sander Striker" <st...@apache.org> writes:
>
>>>"Sander Striker" <st...@apache.org> writes:
>>>
>>>>[auth methods]
>>>> - anonymous   (http and https)
>>>> - user/passwd (http and https)
>>>> - client cert (https)
>>>>
>>>Sometimes multiple layers of authentication are desired (i.e. both
>>>user/password and certs).
>>>
>>AFAIK this is possible to do in apache (the example you provide).
>>
>>I don't see this as desired though.  A cert should be enough,
>>it identifies and authenticates the user.  Can you give me an
>>example of where it isn't (with subversion in mind)?
>>
>
>When customer requirements dictate otherwise (one could argue that
>multilayer authentication is theoretically more secure).
>
There are all sorts of crazy security models out there, and redundancy 
is typically associated with more security. We can't anticipate the 
methods that we'll need to use down the road. As an example of something 
orthogonal to our ways of thinking, what about SecurID (time-based 
authentication card)?

>
>Personally, certs would be secure enough for me.  However, IMHO the
>ability to implement multi-layer authentication should be supported
>for situations where layering is desired.
>

As Ben said, if we handle authentication as a chain of one or more 
methods, that should take care of all the weird cases, and gracefully 
handle the normally expected ones as well.

--mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Authentication

Posted by Daniel Rall <dl...@finemaltcoding.com>.

"Sander Striker" <st...@apache.org> writes:

> > "Sander Striker" <st...@apache.org> writes:
> > 
> >> [auth methods]
> >>  - anonymous   (http and https)
> >>  - user/passwd (http and https)
> >>  - client cert (https)
> > 
> > Sometimes multiple layers of authentication are desired (i.e. both
> > user/password and certs).
> 
> AFAIK this is possible to do in apache (the example you provide).
> 
> I don't see this as desired though.  A cert should be enough,
> it identifies and authenticates the user.  Can you give me an
> example of where it isn't (with subversion in mind)?

When customer requirements dictate otherwise (one could argue that
multilayer authentication is theoretically more secure).

Personally, certs would be secure enough for me.  However, IMHO the
ability to implement multi-layer authentication should be supported
for situations where layering is desired.

                                Daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Authentication

Posted by Mark Welch <ma...@collab.net>.

As for associating client-side certs with usernames, most of the time 
the cert DNs don't match usernames, so there may need to be an 
intermediate module of some kind to tie the two together.

The server side doesn't appear to be a big issue, as you point out. What 
I wonder about, being somewhat new to this list, is what current 
thinking is like on the client side. I interpreted Ben's comments about 
handing off authentication tokens to refer to the client -- was I mistaken?

--mark


Sander Striker wrote:

>>On Tue, 4 Sep 2001, Sander Striker wrote, quoting Daniel Rall:
>>
>>>>Sometimes multiple layers of authentication are desired (i.e. both
>>>>user/password and certs).
>>>>
>>>AFAIK this is possible to do in apache (the example you provide).
>>>
>>>I don't see this as desired though.  A cert should be enough,
>>>it identifies and authenticates the user.  Can you give me an
>>>example of where it isn't (with subversion in mind)?
>>>
>>Two-factor auth: something you have (certs) and something you know
>>(password/phrase).  It helps keep things secure in the face of lost
>>laptops, accidentally revealed passwords, and other edge cases.
>>
>>	Brian
>>
>
>Yes, ofcourse. Doh! :)
>But, isn't this already possible with apache?
>
><Location /some/where>
>   # something you have
>   SSLRequireSSL
>   SSLVerifyClient require
>   SSLVerifyDepth 10
>
>   # something you know
>   AuthType Digest
>   AuthName "Restricted Directory"
>   AuthUserFile /svn/users
>   AuthGroupFile /svn/groups
>   Require group svn
></Location>
>
>Ofcourse, this doesn't take into account that the username
>in the cert is equal to the username supplied.  So, maybe an
>extra mod_auth_xxx is in order (or I am missing something).
>
>Sander
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Authentication

Posted by Sander Striker <st...@apache.org>.

> On Tue, 4 Sep 2001, Sander Striker wrote, quoting Daniel Rall:
> > > Sometimes multiple layers of authentication are desired (i.e. both
> > > user/password and certs).
> >
> > AFAIK this is possible to do in apache (the example you provide).
> >
> > I don't see this as desired though.  A cert should be enough,
> > it identifies and authenticates the user.  Can you give me an
> > example of where it isn't (with subversion in mind)?
> 
> Two-factor auth: something you have (certs) and something you know
> (password/phrase).  It helps keep things secure in the face of lost
> laptops, accidentally revealed passwords, and other edge cases.
> 
> 	Brian

Yes, ofcourse. Doh! :)
But, isn't this already possible with apache?

<Location /some/where>
   # something you have
   SSLRequireSSL
   SSLVerifyClient require
   SSLVerifyDepth 10

   # something you know
   AuthType Digest
   AuthName "Restricted Directory"
   AuthUserFile /svn/users
   AuthGroupFile /svn/groups
   Require group svn
</Location>

Ofcourse, this doesn't take into account that the username
in the cert is equal to the username supplied.  So, maybe an
extra mod_auth_xxx is in order (or I am missing something).

Sander


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Authentication

Posted by Brian Behlendorf <br...@collab.net>.

On Tue, 4 Sep 2001, Sander Striker wrote, quoting Daniel Rall:
> > Sometimes multiple layers of authentication are desired (i.e. both
> > user/password and certs).
>
> AFAIK this is possible to do in apache (the example you provide).
>
> I don't see this as desired though.  A cert should be enough,
> it identifies and authenticates the user.  Can you give me an
> example of where it isn't (with subversion in mind)?

Two-factor auth: something you have (certs) and something you know
(password/phrase).  It helps keep things secure in the face of lost
laptops, accidentally revealed passwords, and other edge cases.

	Brian




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Authentication

Posted by Sander Striker <st...@apache.org>.

> "Sander Striker" <st...@apache.org> writes:
> 
>> [auth methods]
>>  - anonymous   (http and https)
>>  - user/passwd (http and https)
>>  - client cert (https)
> 
> Sometimes multiple layers of authentication are desired (i.e. both
> user/password and certs).

AFAIK this is possible to do in apache (the example you provide).

I don't see this as desired though.  A cert should be enough,
it identifies and authenticates the user.  Can you give me an
example of where it isn't (with subversion in mind)?

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Authentication

Posted by Daniel Rall <dl...@finemaltcoding.com>.

"Sander Striker" <st...@apache.org> writes:

> [auth methods]
>  - anonymous   (http and https)
>  - user/passwd (http and https)
>  - client cert (https)

Sometimes multiple layers of authentication are desired (i.e. both
user/password and certs).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org