Login | Register
My pages Projects Community openCollabNet

Discussions > users > Re: certificate/password storage

fsvs
Discussion topic

Hide all messages in topic

All messages in topic

Re: certificate/password storage

Author pmarek
Full name P.Marek
Date 2009-11-14 11:39:43 PST
Message Hello Gunnar!

>>> 1. config_dir= is ignored
>> Is it really ignored? Does it make *no* difference to the strace output?
> I did a test with this config:
...
>> 14:03:09.151364
>> open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa",
>> O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
...
> So far, no tries to make use of the explicit .subversion folder.
I'll take a look at that.

Sorry, I mostly use file:/// (for /etc), or svn+ssh (for /) - so I don't really test the
authentication problems.

> Perhaps you can also test this behaviour with only defining a https url for the
> WC. It seems that fsvs also gets to this stage offline, (test done in train with
> no internete connection). Otherwise just tell me if you need a working https
> encrypted repository for testing and I send you the key/password for that.
Good catch, I'll try that.


>> See eg. the "author" option; it would only have to be a bit changed, to allow other
>> strings behind. Or we settle for "~" prepending $HOME, although that's the same work
>> and
>> not that flexible.
>
> Going with something like $HOME would be great!
> Is it sufficient to change the type for config_dir to
> parse=opt___store_env_noempty in options.c?
No, it's not *that* easy.
The opt___store_env_noempty just takes everything after a '$' and tries to use that as
an environment variable.

You'd have to write a new parser, to substitute only /\$\w+/ (in regex-speak); then
slashes and other things can be included.


> Regarding the _base file. Would you accept a patch for a README.txt? Thats a
> file analog to the file subversion creates for repos with further information
> about the working copy, path included.
Yes; I'd be grateful for that.
I cursed myself because of that a few times; contrary to my initial opinion the symlink
hasn't proved useful yet.

>> Thank you for your efforts!
> Its a pleasure, helping you to let fsvs grow mature!
Once again: thanks a lot.

> I have also a package of fsvs-1.2.1 for Ubuntu karmic and hardy in my ppa
> at:
>
> https://launchpad.ne​t/~gunnar-thielebein​/+archive/ppa
>
> Still included is the password patch but I hope we get this out when native ssl
> support works.
Would you try to get that into debian and ubuntu? Pretty please ;-)


Regards,

Phil

--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

Re: certificate/password storage

Author tekknokra
Full name Gunnar Thielebein
Date 2009-11-14 09:59:39 PST
Message Hi Phil,

Philipp Marek wrote:
> Hello Gunnar!
>
>> Some update with tests I made.
>> I created the dir hierarchy that fsvs wanted (yesterdays strace output):
>>
>> /etc/fsvs/auth/auth .
>>
>> When I drop the server file in that folder fsvs already makes use on it but
>> still asks for a password which then is not stored.
>>
>> When I create the subdir "svn.simple" fsvs is able to store the password/user
>> pair. Only problem that no arises is that it takes the same username when fsvs
>> perform checkins as another user. So the global storing is not appreciated but
>> using something like ~/.fsvs.
>>
>> The 2 problems we have is that:
>> 1. config_dir= is ignored
> Is it really ignored? Does it make *no* difference to the strace output?

I did a test with this config:

config_dir=/home/gth​ielebein/.subversion​

The path to svn.simple auth *does* exists :

/home/gthielebein/.s​ubversion/auth/svn.s​imple/26802e27b194d5​398936c611c3e450fa

The output is:

> 14:03:09.151364 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
> 14:03:09.156750 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
> 14:03:09.156931 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
> 14:03:09.157180 open("/tmp/apr-tmp.Z63ZWP", O_RDWR|O_CREAT|O_EXCL, 0600) = 5
> 14:03:09.157892 open("/tmp/tempfile.tmp", O_RDWR|O_CREAT|O_EXCL, 0666) = 5
> 14:03:09.196707 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
> 14:03:09.212730 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
> 14:03:09.213039 open("/etc/fsvs/auth​/auth/svn.simple/268​02e27b194d5398936c61​1c3e450fa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)

So far, no tries to make use of the explicit .subversion folder.

Perhaps you can also test this behaviour with only defining a https url for the
WC. It seems that fsvs also gets to this stage offline, (test done in train with
no internete connection). Otherwise just tell me if you need a working https
encrypted repository for testing and I send you the key/password for that.

>
>> 2. the file hierarchy is not created for some reason.
> It's created by "make install", but without the double "auth".
> That's easily fixable.
>
>> When second is working
>> will it also support environment variables like $HOME?
> Could be, could be ;-)
>
> See eg. the "author" option; it would only have to be a bit changed, to allow other
> strings behind. Or we settle for "~" prepending $HOME, although that's the same work and
> not that flexible.

Going with something like $HOME would be great!
Is it sufficient to change the type for config_dir to
parse=opt___store_env_noempty in options.c?

Regarding the _base file. Would you accept a patch for a README.txt? Thats a
file analog to the file subversion creates for repos with further information
about the working copy, path included.
>
> Thank you for your efforts!

Its a pleasure, helping you to let fsvs grow mature!

I have also a package of fsvs-1.2.1 for Ubuntu karmic and hardy in my ppa
at:

https://launchpad.ne​t/~gunnar-thielebein​/+archive/ppa

Still included is the password patch but I hope we get this out when native ssl
support works.

Best,
Gunnar
>
>
> Regards,
>
> Phil
>

Re: certificate/password storage

Author pmarek
Full name P.Marek
Date 2009-11-09 00:13:56 PST
Message Hello Gunnar!

> Some update with tests I made.
> I created the dir hierarchy that fsvs wanted (yesterdays strace output):
>
> /etc/fsvs/auth/auth .
>
> When I drop the server file in that folder fsvs already makes use on it but
> still asks for a password which then is not stored.
>
> When I create the subdir "svn.simple" fsvs is able to store the password/user
> pair. Only problem that no arises is that it takes the same username when fsvs
> perform checkins as another user. So the global storing is not appreciated but
> using something like ~/.fsvs.
>
> The 2 problems we have is that:
> 1. config_dir= is ignored
Is it really ignored? Does it make *no* difference to the strace output?

> 2. the file hierarchy is not created for some reason.
It's created by "make install", but without the double "auth".
That's easily fixable.

> When second is working
> will it also support environment variables like $HOME?
Could be, could be ;-)

See eg. the "author" option; it would only have to be a bit changed, to allow other
strings behind. Or we settle for "~" prepending $HOME, although that's the same work and
not that flexible.

Thank you for your efforts!


Regards,

Phil

--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

Re: certificate/password storage

Author tekknokra
Full name Gunnar Thielebein
Date 2009-11-06 03:33:04 PST
Message Hi Phil!

Some update with tests I made.
I created the dir hierarchy that fsvs wanted (yesterdays strace output):

/etc/fsvs/auth/auth .

When I drop the server file in that folder fsvs already makes use on it but
still asks for a password which then is not stored.

When I create the subdir "svn.simple" fsvs is able to store the password/user
pair. Only problem that no arises is that it takes the same username when fsvs
perform checkins as another user. So the global storing is not appreciated but
using something like ~/.fsvs.

The 2 problems we have is that:
1. config_dir= is ignored
2. the file hierarchy is not created for some reason. When second is working
will it also support environment variables like $HOME?

Cheers,
Gunnar

P.Marek wrote:
> Hello Gunnar!
>
>> I just tested the certificate/password storage part on Ubuntu/Karmic against
>> a local ssl/http-auth setup.
>>
>> config_dir is set to /etc/subversion.
>>
>> When issueing the remote command "remote-status" I am asked to permantly store
>> the certificate. I agree with yes.
>> Then I will be asked about the pkcs12 file localtion and a password.
>>
>> In this step I am prompted with a confirmation dialog:
>>
>>> You can avoid future appearances of this warning by setting the value
>>> of the 'store-ssl-client-ce​rt-pp-plaintext' option to either 'yes' or
>>> 'no' in '(null)'.
>> If I agree all the questions with yes authentication succeeds.
>> On performing the remote command next time I get the
>> accept certificate request and all other steps involved again.
>> As you can see in the before prompt there's no path set.
>>
>> Please let me know if you need more information. I tried with running with fsvs
>> -vvv -d but this does not increase verbosity on the interesting parts (libsvn).
> Could you try to put a "~/.subversion/config" file into "/etc/subversion", with
> authentication storing enabled?
>
> If that doesn't help, please do an "strace -f -tt" of a fsvs call, and send me that -
> maybe I can see there where subversion tries to get information from.
>
>
> Regards,
>
> Phil
>

Re: certificate/password storage

Author tekknokra
Full name Gunnar Thielebein
Date 2009-11-05 02:04:15 PST
Message Hi Phil,

P.Marek wrote:
> Hello Gunnar!
>
>> I just tested the certificate/password storage part on Ubuntu/Karmic against
>> a local ssl/http-auth setup.
>>
>> config_dir is set to /etc/subversion.
>>
>> When issueing the remote command "remote-status" I am asked to permantly store
>> the certificate. I agree with yes.
>> Then I will be asked about the pkcs12 file localtion and a password.
>>
>> In this step I am prompted with a confirmation dialog:
>>
>>> You can avoid future appearances of this warning by setting the value
>>> of the 'store-ssl-client-ce​rt-pp-plaintext' option to either 'yes' or
>>> 'no' in '(null)'.
>> If I agree all the questions with yes authentication succeeds.
>> On performing the remote command next time I get the
>> accept certificate request and all other steps involved again.
>> As you can see in the before prompt there's no path set.
>>
>> Please let me know if you need more information. I tried with running with fsvs
>> -vvv -d but this does not increase verbosity on the interesting parts (libsvn).
> Could you try to put a "~/.subversion/config" file into "/etc/subversion", with
> authentication storing enabled?

I had the config file already there, but the entries are uncommented. Regarding
the comments storing is enabled by default but now explicitly enabled:

/etc/subversion/config:

[auth]
store-passwords = yes
store-auth-creds = yes

Server file.

/etc/subversion/server:

[groups]
test.local = fsvs.agile-admin.net
[test.local]
ssl-client-cert-file = /etc/ssl/default/newcert.p12
ssl-client-cert-password = test123
[global]
ssl-authority-files = /etc/ssl/default/cacert.pem
store-passwords = yes
store-plaintext-passwords = no
store-ssl-client-cert-pp = no
store-ssl-client-cer​t-pp-plaintext = no

>
> If that doesn't help, please do an "strace -f -tt" of a fsvs call, and send me that -
> maybe I can see there where subversion tries to get information from.

Good tip!
The bottom line (4245) shows where fsvs wants to get information from. Log
gzipped and attached for convinience.

> 10:56:23.046460 lstat("/etc/fsvs/aut​h/auth/svn.ssl.serve​r/06efd6678d90237507​2f17361922b4b2", 0x7fffa792b3d0) = -1 ENOENT (No such file or directory)


>
>
> Regards,
>
> Phil
>

Cheers,
Gunnar
Attachments

Re: certificate/password storage

Author pmarek
Full name P.Marek
Date 2009-11-05 00:00:17 PST
Message Hello Gunnar!

> I just tested the certificate/password storage part on Ubuntu/Karmic against
> a local ssl/http-auth setup.
>
> config_dir is set to /etc/subversion.
>
> When issueing the remote command "remote-status" I am asked to permantly store
> the certificate. I agree with yes.
> Then I will be asked about the pkcs12 file localtion and a password.
>
> In this step I am prompted with a confirmation dialog:
>
>> You can avoid future appearances of this warning by setting the value
>> of the 'store-ssl-client-ce​rt-pp-plaintext' option to either 'yes' or
>> 'no' in '(null)'.
>
> If I agree all the questions with yes authentication succeeds.
> On performing the remote command next time I get the
> accept certificate request and all other steps involved again.
> As you can see in the before prompt there's no path set.
>
> Please let me know if you need more information. I tried with running with fsvs
> -vvv -d but this does not increase verbosity on the interesting parts (libsvn).
Could you try to put a "~/.subversion/config" file into "/etc/subversion", with
authentication storing enabled?

If that doesn't help, please do an "strace -f -tt" of a fsvs call, and send me that -
maybe I can see there where subversion tries to get information from.


Regards,

Phil

--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

certificate/password storage

Author tekknokra
Full name Gunnar Thielebein
Date 2009-11-04 15:12:06 PST
Message Hi Phil,

I just tested the certificate/password storage part on Ubuntu/Karmic against
a local ssl/http-auth setup.

config_dir is set to /etc/subversion.

When issueing the remote command "remote-status" I am asked to permantly store
the certificate. I agree with yes.
Then I will be asked about the pkcs12 file localtion and a password.

In this step I am prompted with a confirmation dialog:

> You can avoid future appearances of this warning by setting the value
> of the 'store-ssl-client-ce​rt-pp-plaintext' option to either 'yes' or
> 'no' in '(null)'.

If I agree all the questions with yes authentication succeeds.
On performing the remote command next time I get the
accept certificate request and all other steps involved again.
As you can see in the before prompt there's no path set.

Please let me know if you need more information. I tried with running with fsvs
-vvv -d but this does not increase verbosity on the interesting parts (libsvn).

Best,
Gunnar
Messages per page: