Login | Register
My pages Projects Community openCollabNet

Discussions > users [DISABLED] > Re: How to configure Apache2+SVN+PAM

subversion
Discussion topic

There will be a brief maintenance window every Friday at 17:00 Pacific.
For further details, see CollabNet's maintenance and upgrade policy.

Back to topic list

Re: How to configure Apache2+SVN+PAM

Author Nico Kadel-Garcia <nkadel at gmail dot com>
Full name Nico Kadel-Garcia <nkadel at gmail dot com>
Date 2009-08-29 07:44:03 PDT
Message On Fri, Aug 28, 2009 at 1:58 PM, Alexandre Moraes<alexmoraes​@gmail.com> wrote:
> Hi,
>
> I´m looking through the web but it´s hard to find how to configure
> PAM+Apache2+Svn.

[ Yes, I rant about this. Yes, I am a broken record, but it needs
repeating for new users. ]

*DON'T*. Seriously. Unless you can assure that your clients are not
going to use the default subversion clients, which store passwords in
cleartext by default, any such service is a serious security pitfall.
Subversion 1.6.x imporoved the situation somewhat with the change to
ask the client before storing the passwords that way, but that should
have *NEVER* been the default behavior of the client: it's led to a
host of truly awful security practices, especially in environments
(such as you are describing) where the user's normal login password
would be used for subversion HTTPS access.

There are clients that do not do this, and that implement considerably
more secure wallets, but unless you actually delete the binary or
deliberately edit svn source code to disable password handling (which
I've done in the past!), you can't prevent arbitrary clients from
discarding any pretense of site security.

Use HTTP access only for anonymous, unauthorized site-wide access. Use
HTTPS only for SSL key access, not password access, especially do not
use it for passwords based on your normal login passwords. And use
svn+ssh with public key management to provide protected access, unless
you want those passwords published in the readable
$HOME/.subversion/auth/ directory of every UNIX or Linux client.

Now, with all that ranting over:

If you have your heart set on this, it works well in RHEL 5 and recent
Fedora versions with the built-in httpd, mod_dav_svn, and some merging
from the kerberos configuguration utilities in /etc/httpd/conf.d/ into
the subversion.conf file there. What OS are you working with, which
Subversion and which 'Apache2'?

« Previous message in topic | 2 of 9 | Next message in topic »

Messages

Show all messages in topic

Subject
Author
Full name
Date posted
+
How to configure Apache2+SVN+PAM Alexandre Moraes <alexmoraes at gmail dot com> Alexandre Moraes <alexmoraes at gmail dot com> 2009-08-28 10:58:38 PDT
     Re: How to configure Apache2+SVN+PAM Nico Kadel-Garcia <nkadel at gmail dot com> Nico Kadel-Garcia <nkadel at gmail dot com> 2009-08-29 07:44:03 PDT
         Re: How to configure Apache2+SVN+PAM ryandesign Ryan Schmidt 2009-08-29 19:42:10 PDT
             Re: How to configure Apache2+SVN+PAM Nico Kadel-Garcia <nkadel at gmail dot com> Nico Kadel-Garcia <nkadel at gmail dot com> 2009-08-30 21:37:26 PDT
                 RE: How to configure Apache2+SVN+PAM "Jason Malinowski" <jason at jason-m dot com> "Jason Malinowski" <jason at jason-m dot com> 2009-08-30 22:30:48 PDT
                     Re: How to configure Apache2+SVN+PAM Nico Kadel-Garcia <nkadel at gmail dot com> Nico Kadel-Garcia <nkadel at gmail dot com> 2009-08-30 22:42:20 PDT
                         Re: How to configure Apache2+SVN+PAM Andrey Repin <anrdaemon at freemail dot ru> Andrey Repin <anrdaemon at freemail dot ru> 2009-08-30 23:30:12 PDT
                             Re: How to configure Apache2+SVN+PAM Nico Kadel-Garcia <nkadel at gmail dot com> Nico Kadel-Garcia <nkadel at gmail dot com> 2009-08-31 04:38:25 PDT
                                 Re: How to configure Apache2+SVN+PAM levyam Andy Levy 2009-08-31 05:08:15 PDT
Messages per page: