On Sun, Aug 11, 2013 at 02:34:55AM +0200, Jan Danielsson wrote: > On 8/11/13 2:07 AM, Chad Perrin wrote: > > So . . . let's say I have a server (running FreeBSD, and I'll probably > > be setting this up in a jail) and a router that can forward ports > > (already has SSH forwarded to this server). For argument's sake, let's > > say we're confined to only one port per protocol. What's the quick/easy > > way to get Fossil set up so a small team can push/pull/sync multiple > > Fossil repositories on the server without having shell accounts? The > > connection should be encrypted so that nobody can sniff usernames and > > passwords when people are syncing, the users should preferably all be > > using different credentials (not the same username/password combination, > > in other words), and I should not have to pay any money to any third > > parties (ISPs, certifying authorities, et cetera) as part of this. > > I have been using a combination of self-signed certificates, apache > and fossil for a long time and have been very happy with it. (Apache is > configured to only allow connections with full certificate chain > verification). > > apache is configured to set REMOTE_USER to the CN-field of the > certificate's subject, and the fossil repository is configured to get > username from REMOTE_USER. So the only thing the users need to do is to > place the CA, their certificate and key in a Good Place, and then set up > fossil to use them. If the users will be accessing the web ui via a > web-browser they will need to make the appropriate configurations to > their web browsers as well. > > The users don't have to enter a password other than to unlock their > local private key. (As a matter of policy; if they have the key on > encrypted partitions they don't even have to do that). > > I use apache's access management tools to configure which > users/groups can access which repositories.
Much of this does not appear immediately necessary to using only the command line interface on the team member's workstation or laptop to sync with a repository on the server, thus making it look like significantly more of a solution than I need. Am I mistaken? > > The only part of the whole configuration which I found to be annoying > was the generation of certificates/keys (the openssl command line tool > and online manual is at times very unfriendly). Other than that, it was > pretty much a breeze. > > If this is something you're interested in, then I can post more > detailed instructions on how to set it up. I am interested for future needs, even if this is not really a quick/easy way to accomplish what I need right now. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users