disable security hole in svn+ssh?

2011-07-26 Thread Andy Canfield
I was trying to get http, svn, and svn+ssh to work. HERE IT IS USING HTTP: *svn info http://athol/svn/subdoc Authentication realm: Athol Subversion Repository Password for 'andy': Path: subdoc URL: http://athol/svn/subdoc Repository Root: http://athol/svn/subdoc Repository U

Re: disable security hole in svn+ssh?

2011-07-27 Thread Ulrich Eckhardt
On Wednesday 27 July 2011, Andy Canfield wrote: > I was trying to get http, svn, and svn+ssh to work. Just one thing: Why? Why do you want more than one protocol? I could imagine read-only HTTP and read-write HTTPS, but that's the only reason for multiple access methods I could imagine. > Cons

Re: disable security hole in svn+ssh?

2011-07-27 Thread Nico Kadel-Garcia
On Wed, Jul 27, 2011 at 12:06 AM, Andy Canfield wrote: > I was trying to get http, svn, and svn+ssh to work. Dude. Pick one. Getting all three to play nicely together is destablilizing. > HERE IT IS USING HTTP: >     svn info http://athol/svn/subdoc > Authentication realm: Ath

Re: disable security hole in svn+ssh?

2011-07-28 Thread Andy Canfield
On 07/27/2011 06:47 PM, Nico Kadel-Garcia wrote: On Wed, Jul 27, 2011 at 12:06 AM, Andy Canfield wrote: I was trying to get http, svn, and svn+ssh to work. Dude. Pick one. Getting all three to play nicely together is destablilizing. For me, getting any of the four to work is difficult. Here

Re: disable security hole in svn+ssh?

2011-07-28 Thread Matthew Beals
> That "svn" user can be set to have no valid shell, with its shell set > to something like "/sbin/nologin". This is actually quite common for > system services to have no valid shell. This is how the "apache" or > "www-data" user is usually set up. But that would prevent login using ssh, which I d

Re: disable security hole in svn+ssh?

2011-07-28 Thread Geoff Hoffman
On Thu, Jul 28, 2011 at 7:29 AM, Andy Canfield wrote: > Hold it right there. You're providing password based repository access >> via HTTP, not HTTPS? Please rethink this unless you *want* the >> passwords for this repository to be quite insecure and sniffable, >> especially if you're using norma

Re: disable security hole in svn+ssh?

2011-07-28 Thread Les Mikesell
On 7/28/2011 9:29 AM, Andy Canfield wrote: I was trying to get http, svn, and svn+ssh to work. Dude. Pick one. Getting all three to play nicely together is destablilizing. For me, getting any of the four to work is difficult. Here is the status of the various protocols, in order by apparent d

Re: disable security hole in svn+ssh?

2011-07-28 Thread Nico Kadel-Garcia
On Thu, Jul 28, 2011 at 10:44 AM, Matthew Beals wrote: >> That "svn" user can be set to have no valid shell, with its shell set >> to something like "/sbin/nologin". This is actually quite common for >> system services to have no valid shell. This is how the "apache" or >> "www-data" user is usual

Re: disable security hole in svn+ssh?

2011-07-28 Thread Andy Canfield
Thank you very much. On 07/28/2011 09:48 PM, Geoff Hoffman wrote: On Thu, Jul 28, 2011 at 7:29 AM, Andy Canfield mailto:andy.canfi...@pimco.mobi>> wrote: Hold it right there. You're providing password based repository access via HTTP, not HTTPS? Please rethink this u

Re: disable security hole in svn+ssh?

2011-07-28 Thread Ryan Schmidt
On Jul 28, 2011, at 20:27, Andy Canfield wrote: > On 07/28/2011 09:48 PM, Geoff Hoffman wrote: >> You can then detect http protocol with a rewrite rule and redirect to https >> using mod_rewrite in either the vhost container or .htaccess file. > Where would the .htaccess file be for svn+ssh? Ther

Re: disable security hole in svn+ssh?

2011-07-28 Thread Ryan Schmidt
On Jul 28, 2011, at 23:44, Ryan Schmidt wrote: > On Jul 28, 2011, at 20:27, Andy Canfield wrote: >> On 07/28/2011 09:48 PM, Geoff Hoffman wrote: >>> You can then detect http protocol with a rewrite rule and redirect to https >>> using mod_rewrite in either the vhost container or .htaccess file. >

RE: disable security hole in svn+ssh?

2011-07-29 Thread Cooke, Mark
> -Original Message- > From: Andy Canfield [mailto:andy.canfi...@pimco.mobi] > Sent: 29 July 2011 02:27 > To: Geoff Hoffman > Cc: Nico Kadel-Garcia; users@subversion.apache.org > Subject: Re: disable security hole in svn+ssh? > Apparently, regardless of the pro

Re: disable security hole in svn+ssh?

2011-07-29 Thread Les Mikesell
On 7/28/11 8:27 PM, Andy Canfield wrote: Seems like every protocol uses a different method to do authorization, and that's my ignorance. I'm trying to work out an authorization mechanism that applies regardless of the protocol. Why? Pick one that works and leave the others so users can't use

Re: disable security hole in svn+ssh?

2011-07-30 Thread Andy Canfield
On 07/29/2011 02:10 PM, Cooke, Mark wrote: -Original Message- From: Andy Canfield [mailto:andy.canfi...@pimco.mobi] Sent: 29 July 2011 02:27 To: Geoff Hoffman Cc: Nico Kadel-Garcia; users@subversion.apache.org Subject: Re: disable security hole in svn+ssh? Apparently, regardless