I get tired of passwords. Password here, password there, everywhere a password.
I am a systems designer who does a lot of admin out of necessity. When I get tired enough of a task, I eliminate it.
I use subversion on several projects to track documentation, source, configurations and more. All of my servers are SSL only, and use user certificates for identity verification. Here’s what I did to make passwordless, user-based restrictions on Subversion:
First, make sure that SSL is working on your apache server (if you get a server error when you do an https request, but http://yourserver.com:443 works then SSL is not set up right).
Put the following in /etc/httpd/conf.d/subversion.conf:
<Location /yourSubversionWebLocation> DAV svn SVNParentPath pathToYourSubversionFolder AuthzSVNAccessFile /etc/httpd/yourSubversionAccessFile SSLRequireSSL SSLVerifyClient require SSLUserName SSL_CLIENT_S_DN_Email SetOutputFilter DEFLATE </Location>
Some people might want to use SSL_CLIENT_S_DN_CN as the user name instead of the email, but in my case I use the CN to put the person’s real full name in the certificate, so the email worked out better. Also, this way I can have jsmith@company1.com and jsmith@company2.com without a collision. Use whichever works for your situation.
Put your repository access information into your SVN access file like this:
[shared:/] user1@yourplace.com = rw user2@yourplace.com = rw user3@yourplace.com = rw readonlyuser@yourplace.com = r [user1:/] user1@yourplace.com = rw [user2:/] user2@yourplace.com = rw [user3:/] user3@yourplace.com = rw
Generate your User SSL keys. I do it with a script (lots of stuff on the web on how to set up your own CA, so I’m not re-hashing it here):
#!/bin/bash [ "$1" == "" ] && exit -1; openssl req -config openssl.myconf.cnf -new -sha1 -newkey rsa:1024 -nodes -keyout private/$1.key -out csr/$1.pem openssl ca -config openssl.myconf.cnf -policy policy_anything -extensions usr_cert -out certs/$1.pem -infiles csr/$1.pem openssl pkcs12 -export -clcerts -in certs/$1.pem -inkey private/$1.key -out userp12/$1.p12
Be sure to use the same email addresses that you use in the SVN authorization file.
To access subversion from the command line, put the following into your .subverions/servers file. Be certain that the file has strict permissions (chmod -R 0600 ~user1/.subversion; chmod -R 0600 ~user1/certs):
[groups] myrepositories = <your server address>
[myrepositories]
ssl-authority-files = /home/user1/certs/<your CA file>.crt
ssl-client-cert-file = /home/user1/certs/user1.p12
ssl-client-cert-password = <user's certificate password>
To access it with a browser, import the CA and user certificates into the browser of your choice. Users should then be able to select your web page and auto-magically get the right repositories with the right permissions. No passwords needed.
If you want a pretty web interface for your repository, try out websvn. Use the same SSL configuration information for your websvn.conf as you did for your subversion.conf, follow the install information for websvn, put your repositories into your config.php and you’re done.