Login | Register
My pages Projects Community openCollabNet

Discussions > commits > svn commit: r2442 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup

fsvs
Discussion topic

Back to topic list

svn commit: r2442 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup

Author tekknokrat
Full name Gunnar Thielebein
Date 2010-08-30 10:23:18 PDT
Message Author: tekknokrat
Date: 2010-08-30 10:23:17-0700
New Revision: 2442

Modified:
   branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup

Log:
some typofixes and improvements to ssl howto

Modified: branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup
Url: http://fsvs.tigris.o​rg/source/browse/fsv​s/branches/fsvs-1.2.​x/fsvs/doc/fsvs-ssl-​setup?view=diff&​pathrev=2442&r1=​2441&r2=2442
====================​====================​====================​==================
--- branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup (original)
+++ branches/fsvs-1.2.x/​fsvs/doc/fsvs-ssl-se​tup 2010-08-30 10:23:17-0700
@@ -1,6 +1,9 @@
 Repository Access with SSL Client Certificate (passwordless)
 ====================​====================​====================​
 
+This small guide explains the creation of a svn repository, that is accessible via https and client certificate authentication.
+Using client certificate authentication you won't neither need to supply a password on access nor you have to worry to store your password on that machine.
+
 Prerequisites:
 
 The basic configuration for access of to a repository via http is explained in
@@ -16,7 +19,7 @@
 
 a) enable ssl module for the webserver
 b) install ssl certificate and authority
-c) for passwordless access install host key (pkcs12)
+c) for passwordless access install the host key (pkcs12)
   
 If the repository is open to public it is recommended to get a certificate / host key from from an external ca-authority.
 Otherwise self-signed keys can be used.
@@ -54,9 +57,9 @@
 
 For use with subversion/fsvs the key needs first be converted to pkcs12.
 
- $ openssl pkcs12 -in newcert.pem -out $(hostname).p12
+ $ openssl pkcs12 -in newcert.pem -export -out $(hostname).p12
 
-Replace $(hostname) with the hostname of the server.
+Replace $(hostname) with the hostname of your server.
 
 Installation of SSL certificate for SVN repository
 ====================​====================​==========
@@ -64,18 +67,18 @@
 A certificate .pem file contains both, the x509 certificate and the key.
 Before installation of the .pem file the password of the key should be removed.
 Otherwise on bootup the server will prompt for the password which is not convenient in HA environments.
-Of course the password should only be removed in trusted environments.
+Of course the password should be removed from the servers' ssl certificate, in trusted environments, only.
 
 This command removes the password from a pem file.
 
-openssl rsa -in newcert.pem -out server.pem
+ $ openssl rsa -in newcert.pem -out server.pem
 
 On Debian/Ubuntu, the ca-authority and the certificate should be placed in the /etc/ssl folder. The authority file should be moved to /etc/ssl/certs.
 The certificate that contains the key should be moved to /etc/ssl/private.
 Folders are created with installation of the openssl package.
 
-Configuration of ca-authority/certificate
-===================​====================​==
+Configuration of CA-Authority and Certificate
+===================​====================​======
 
 The SSL configuration part for the apache server:
 
@@ -91,10 +94,20 @@
     # ... SVN related config
  </Location>
 
+Setup Authentication
+====================
+
+Authentication is not necessary because we relay on the Client Certificate.
+Only issue left, is that the name of users who perform checkins will not be shown in commit messages.
+For this way one can use anonymous authentication.
+
+First check if module is enabled
+
+ $ a2enmod authn_anon
 
 Global configuration for an host with fsvs-client:
 
-The global configuration takes place by default in /etc/fsvs/auth/servers
+/etc/fsvs/svn/servers:
 
 [groups]
 fsvs = fsvs.repository.host
@@ -105,8 +118,10 @@
 ssl-authority-files = /etc/ssl/default/cacert.pem
 store-plaintext-passwords=yes
 
-The global configuration takes place by default in /etc/fsvs/auth/servers.
+The global svn access configuration takes place by default in /etc/fsvs/svn/servers.
+This can be changed on compile time with DEFAULT_CONFIGDIR_SUB in interface.h
 The configuration for the authentication credentials is stored in ~/.subversion. If the
-folder does not exists it will be created. Be aware that the creation tooks place with root
-privileges so if another svn client needs write access these access should be restored
-e.g. via chown -R username: ~/subversion.
+folder does not exists it will be created.
+Be aware that the initial creation tooks place with root privileges so if another svn client, running with user-only privileges, needs write access back this access should be restored e.g. via:
+
+$ chown -R username: ~/subversion.

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

svn commit: r2442 - branches/fsvs-1.2.x/fsvs/doc/fsvs-ssl-setup tekknokrat Gunnar Thielebein 2010-08-30 10:23:18 PDT
Messages per page: