Login | Register
My pages Projects Community openCollabNet

Discussions > users > Re: [feature request] ssl client-certificate auth

fsvs
Discussion topic

Back to topic list

Re: [feature request] ssl client-certificate auth

Author tekknokrat
Full name Gunnar Thielebein
Date 2008-08-12 09:06:38 PDT
Message Hi,

Philipp Marek wrote:
> Hello Gunnar!
>
>
> Thank you for your answer, but I'm still confused ;-/
> I'll try to repeat what I read.
>
> On Tuesday 12 August 2008 Gunnar Thielebein wrote:
>
>> I think I need to explain our scenario a little bit.
>> On one hand we use ssl-keybased authorisation for servers. This keeps us
>> from typing password in authentication process because of security.
>>
> Don't you secure your client-certificates? Are they in smartcards? Do you
> store the password for the PKCS#11 files?
>
the client ssl-certificates have password set atm. But the password is
cleartext in config which throws the problem you mentioned in your last
mail. I think later we will restrict access from allowed hosts only and
remove the passwords from keys.
>
>> On the other hand we need the username of the commiter to track changes
>> to the config. This wont be the case without using htaccess.
>>
> You want a *real* username in the commits, not "root" - that's why you use
> http(s).
>
>
IMO you mean httpauth not https, if this is the case - yes.
>> So we use anonymous access on server so that only a (real) username is
>> needed on clientside, no matching password.
>>
> Why do you need an username for anonymous? Or is the username "real" so that
> the commit authentication works, but it wouldn't work on checkout without
> *any* password?
>
the username should be real to track commits via trac btw. (and later
also to log the general access to repository)
>
>> Without the local ~/.subversion directory and performing "svn ls" fsvs
>> also asks for the password when doing a commit.
>> So i wasn't able to nail this issue down and I created the patch.
>>
> And you don't want to have a ~root/.subversion - right?
>
Yes, I want to keep the users home on sudo for preserving individual
settings.
>
>> Perhaps another configuration "anonymous_access" would make more sense
>> but I don't know what to use as an argument to this function instead of
>> a string or NULL:
>>
> What do you need for anonymous access? I'd understand that as allowing
> everyone.
>
Yes, in more detail allowing everyone from authenticated hosts.
>
>>> And what exactly does not work?
>>>
>> saving the httpauth-credentials
>>
> To repeat:
> Using a ~/.subversion, that is pre-populated by "svn ls", works for fsvs.
> But you'd like to avoid that directory, and avoid the pre-population.
> FSVS does already ask for the authentication data, but doesn't store it -
> you'd have to enter that for every invocation?
> Is that what you say?
>
>
Yes thats what i mean, I need to hit at least <enter> everytime.
This doesn't sound much, but is annoying over time and blocks usage of
fsvs in apt-hook/cron-jobs.

> Maybe the config hash in cb_init() has to include the
> [auth]
> store-auth-creds = yes
> configuration for the subversion libraries.
>
>
I don't understand why it doesn't use this option, yet. Normally it
defaults to "yes"
Will you have a look at that?
>
>>> Do I understand you correctly: Because /etc/ is the configuration path,
>>> the password (that gets asked on checkout) is not stored in the files;
>>> but for commit you use client certificates, so you don't need it anyway?
>>>
>> this was only assumption from my side.
>> I don't know if the behaviour changes when using ~/.subversion should I
>> test this?
>>
> Yes, please - although I don't think so. The config hash mentioned above seems
> like a better bet.
>
I'll try to compile with userdir and if it helps let you know.
> Regards,
>
> Phil
>
>

Thanks for your help!

Cheers,
Gunnar

« Previous message in topic | 15 of 20 | Next message in topic »

Messages

Show all messages in topic

[feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-07-07 07:13:20 PDT
     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-07-12 05:30:44 PDT
         Re: Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-07-29 07:59:26 PDT
             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-07-31 09:41:10 PDT
             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-02 07:52:55 PDT
                 Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-02 10:12:02 PDT
                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:00:51 PDT
                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:30:40 PDT
                         Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-06 01:49:56 PDT
                             Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-06 03:04:17 PDT
                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-07 02:57:23 PDT
                                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 04:59:00 PDT
                                         Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-12 07:45:25 PDT
                                             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 08:22:54 PDT
                                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-12 09:06:38 PDT
                                                     Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 09:34:33 PDT
                                                         Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-13 08:42:14 PDT
                                                             Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-13 08:59:16 PDT
                                                                 Re: [feature request] ssl client-certificate auth tekknokrat Gunnar Thielebein 2008-08-21 02:43:36 PDT
                                 Re: [feature request] ssl client-certificate auth pmarek P.Marek 2008-08-12 04:55:53 PDT
Messages per page: