SSH, Subversion, and possibly Kerberos - SSH

This is a discussion on SSH, Subversion, and possibly Kerberos - SSH ; Subversion has a serious problem with all of its command line clients: all of them store your passwords in local clear-text. The usual way around this is to use SSH keys, have people log in as the 'svn' user, and ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: SSH, Subversion, and possibly Kerberos

  1. SSH, Subversion, and possibly Kerberos

    Subversion has a serious problem with all of its command line clients: all of
    them store your passwords in local clear-text. The usual way around this is to
    use SSH keys, have people log in as the 'svn' user, and use a 'command=' line
    in each SSH key to start up an svnserve connection, and use that.

    This gets nutty, and makes key management awkawrd.

    I'd like to have one of two things:

    * A graceful tool for managing a common pool of public keys, one that allows a
    user or manager to delete and add keys. A good GUI, such as a webmin module,
    would be ideal, but I haven't seen one.

    * Kerberize things: Set up Kerberized access, on the base RHEL 5 operating
    systems and Windows clients that I'm using, to manage the account based access
    without using Subversion stored clear-text local passwords. RHEL 5 has OpenSSH
    4.x.

    Has anyone pursued either of these to completion, or pursued it even on a more
    modern operating system, such as Fedora or Ubuntu?

  2. Re: SSH, Subversion, and possibly Kerberos

    On Fri, 26 Sep 2008 15:33:47 +0100, Nico Kadel-Garcia wrote:
    > Subversion has a serious problem with all of its command line clients: all of
    > them store your passwords in local clear-text. The usual way around this is to
    > use SSH keys, have people log in as the 'svn' user, and use a 'command=' line
    > in each SSH key to start up an svnserve connection, and use that.


    > This gets nutty, and makes key management awkawrd.


    > I'd like to have one of two things:


    > * A graceful tool for managing a common pool of public keys, one that allows a
    > user or manager to delete and add keys. A good GUI, such as a webmin module,
    > would be ideal, but I haven't seen one.


    > * Kerberize things: Set up Kerberized access, on the base RHEL 5 operating
    > systems and Windows clients that I'm using, to manage the account based access
    > without using Subversion stored clear-text local passwords. RHEL 5 has OpenSSH
    > 4.x.


    > Has anyone pursued either of these to completion, or pursued it even on a more
    > modern operating system, such as Fedora or Ubuntu?


    You said you have RHEL 5. Do you also have CentOS systems? If so,
    you should ask this question of the CentOS discussion and information
    mailing list (www.centos.org -> Mailing Lists). A lot of sysadmins
    post there. In fact, you might try just reading the archives.

    --
    Dale Dellutri (lose the Q's)

  3. Re: SSH, Subversion, and possibly Kerberos

    Dale Dellutri wrote:
    > On Fri, 26 Sep 2008 15:33:47 +0100, Nico Kadel-Garcia wrote:
    >> Subversion has a serious problem with all of its command line clients: all of
    >> them store your passwords in local clear-text. The usual way around this is to
    >> use SSH keys, have people log in as the 'svn' user, and use a 'command=' line
    >> in each SSH key to start up an svnserve connection, and use that.

    >
    >> This gets nutty, and makes key management awkawrd.

    >
    >> I'd like to have one of two things:

    >
    >> * A graceful tool for managing a common pool of public keys, one that allows a
    >> user or manager to delete and add keys. A good GUI, such as a webmin module,
    >> would be ideal, but I haven't seen one.

    >
    >> * Kerberize things: Set up Kerberized access, on the base RHEL 5 operating
    >> systems and Windows clients that I'm using, to manage the account based access
    >> without using Subversion stored clear-text local passwords. RHEL 5 has OpenSSH
    >> 4.x.

    >
    >> Has anyone pursued either of these to completion, or pursued it even on a more
    >> modern operating system, such as Fedora or Ubuntu?

    >
    > You said you have RHEL 5. Do you also have CentOS systems? If so,
    > you should ask this question of the CentOS discussion and information
    > mailing list (www.centos.org -> Mailing Lists). A lot of sysadmins
    > post there. In fact, you might try just reading the archives.
    >


    I've got both, and for this kind of work, they're nearly identical. I've
    deployed Beowulf clusters with CentOS effectively, so know it quite well. The
    Subversion on RHEL is out of date, and I use the more recent, well-maintained
    subversion-1.5.2 from RPMforge, anyway.

+ Reply to Thread