Login | Register
My pages Projects Community openCollabNet

Discussions > users > Re: [feature request] ssl client-certificate auth

fsvs
Discussion topic

Back to topic list

Re: [feature request] ssl client-certificate auth

Author pmarek
Full name P.Marek
Date 2008-08-12 08:22:54 PDT
Message Hello Gunnar!


Thank you for your answer, but I'm still confused ;-/
I'll try to repeat what I read.

On Tuesday 12 August 2008 Gunnar Thielebein wrote:
> I think I need to explain our scenario a little bit.
> On one hand we use ssl-keybased authorisation for servers. This keeps us
> from typing password in authentication process because of security.
Don't you secure your client-certificates? Are they in smartcards? Do you
store the password for the PKCS#11 files?

> On the other hand we need the username of the commiter to track changes
> to the config. This wont be the case without using htaccess.
You want a *real* username in the commits, not "root" - that's why you use
http(s).

> So we use anonymous access on server so that only a (real) username is
> needed on clientside, no matching password.
Why do you need an username for anonymous? Or is the username "real" so that
the commit authentication works, but it wouldn't work on checkout without
*any* password?

> Without the local ~/.subversion directory and performing "svn ls" fsvs
> also asks for the password when doing a commit.
> So i wasn't able to nail this issue down and I created the patch.
And you don't want to have a ~root/.subversion - right?

> Perhaps another configuration "anonymous_access" would make more sense
> but I don't know what to use as an argument to this function instead of
> a string or NULL:
What do you need for anonymous access? I'd understand that as allowing
everyone.

> > And what exactly does not work?
>
> saving the httpauth-credentials
To repeat:
Using a ~/.subversion, that is pre-populated by "svn ls", works for fsvs.
But you'd like to avoid that directory, and avoid the pre-population.
FSVS does already ask for the authentication data, but doesn't store it -
you'd have to enter that for every invocation?
Is that what you say?

Maybe the config hash in cb_init() has to include the
    [auth]
    store-auth-creds = yes
configuration for the subversion libraries.


> > Do I understand you correctly: Because /etc/ is the configuration path,
> > the password (that gets asked on checkout) is not stored in the files;
> > but for commit you use client certificates, so you don't need it anyway?
> this was only assumption from my side.
> I don't know if the behaviour changes when using ~/.subversion should I
> test this?
Yes, please - although I don't think so. The config hash mentioned above seems
like a better bet.


Regards,

Phil

--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

« Previous message in topic | 14 of 20 | Next message in topic »

Messages

Show all messages in topic

[feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-07-07 07:13:20 PDT
     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-07-12 05:30:44 PDT
         Re: Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-07-29 07:59:26 PDT
             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-07-31 09:41:10 PDT
             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-02 07:52:55 PDT
                 Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-02 10:12:02 PDT
                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:00:51 PDT
                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:30:40 PDT
                         Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:49:56 PDT
                             Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-06 03:04:17 PDT
                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-07 02:57:23 PDT
                                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 04:59:00 PDT
                                         Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-12 07:45:25 PDT
                                             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 08:22:54 PDT
                                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-12 09:06:38 PDT
                                                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 09:34:33 PDT
                                                         Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-13 08:42:14 PDT
                                                             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-13 08:59:16 PDT
                                                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-21 02:43:36 PDT
                                 Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 04:55:53 PDT
Messages per page: