Kerberos for Subversion

[Girish Mandhania]

Hello,
I am working for a university and have Kerberos installed on our server.I
wish to use Kerberos authentication of Subversion(change management
application) on Linux.
Could you please help me with the clear list of steps to be followed, as I
am not able to find relevant information on the web.
Let me know if any more details are required..

Cheers.

[Bjørn Tore Sund]

Assuming you've got subversion running behind Apache you use
mod_auth_kerb in exactly the same way you would any other Apache
location where you want authentication.

http://modauthkerb.sourceforge.net/

-BT
--
Bj�rn Tore Sund Phone: 555-84894 Email: bjorn...@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

[Edward Murrell]

Hi,

Kerberos isn't specifically built into SVN, it's handled by the carrier
protocol, which is usually SSH or HTTP. Depending on what you're using,
you'll need to setup Kerberos in OpenSSH or your webserver.

OpenSSH already has Kerberos/GSSAPI support. In most cases, it's a
matter of turning it on.

If you are using HTTP and the Apache webserver, there's a module called
mod_auth_kerb that does Kerberos authentication for you.

Cheers,
Edward

On Thu, 2010-02-04 at 15:27 -0600, Girish Mandhania wrote:
> Hello,
> I am working for a university and have Kerberos installed on our server.I
> wish to use Kerberos authentication of Subversion(change management
> application) on Linux.
> Could you please help me with the clear list of steps to be followed, as I
> am not able to find relevant information on the web.
> Let me know if any more details are required..
>

> Cheers.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

[Ken Raeburn]

On Feb 4, 2010, at 16:27, Girish Mandhania wrote:
> Hello,
> I am working for a university and have Kerberos installed on our server.I
> wish to use Kerberos authentication of Subversion(change management
> application) on Linux.
> Could you please help me with the clear list of steps to be followed, as I
> am not able to find relevant information on the web.
> Let me know if any more details are required..

I think the usual approach has two relatively simple parts, which can be deployed and tested separately:

1) Use svn+ssh (subversion over ssh) for repository access.

2) Use a Kerberos/GSSAPI-enabled ssh, which is probably available in whatever packaging system you have available for your distribution.

If your developers don't currently have accounts on the subversion server, you can set up accounts that only allow one command, "svnserve", to be run.

Ken

[Greg Hudson]

On Sat, 2010-02-06 at 16:20 -0500, Edward Murrell wrote:
> Kerberos isn't specifically built into SVN, it's handled by the carrier
> protocol, which is usually SSH or HTTP. Depending on what you're using,
> you'll need to setup Kerberos in OpenSSH or your webserver.

Actually, as of Subversion 1.5, svnserve and ra_svn (the "svn://"
prefix, as opposed to "svn+ssh") can use Cyrus SASL. So you can
conceivably use Kerberos authentication with any of the network
transports (http, svn, or svn+ssh). If you want to use the built-in
ra_svn support, the following may be of use:

http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt

I've never personally set it up that way. You may have better luck
getting support on the Subversion users list if you run into problems.

[Greg Troxel]

Bjørn Tore Sund <bjorn...@it.uib.no> writes:

> On 2/4/10 10:27 PM, Girish Mandhania wrote:
>> Hello,
>> I am working for a university and have Kerberos installed on our server.I
>> wish to use Kerberos authentication of Subversion(change management
>> application) on Linux.
>> Could you please help me with the clear list of steps to be followed, as I
>> am not able to find relevant information on the web.
>> Let me know if any more details are required..
>

> Assuming you've got subversion running behind Apache you use
> mod_auth_kerb in exactly the same way you would any other Apache
> location where you want authentication.
>
> http://modauthkerb.sourceforge.net/

That makes the server take passwords and validate them against the
kerberos database, or else requires for browser-side access the
Negotiate mechanism. It seems bad practice to send ones kerberos
password to the server (or perhaps worse, to have svn store it), so
obviously the only reasonable thing to do is use Negotitate.

neon seems to have a gssapi option - does that work from svn with
modauthkerb?

[Sysmen DEI]

On 02/04/2010 10:27 PM, Girish Mandhania wrote:
> Hello,
> I am working for a university and have Kerberos installed on our server.I
> wish to use Kerberos authentication of Subversion(change management
> application) on Linux.
> Could you please help me with the clear list of steps to be followed, as I
> am not able to find relevant information on the web.
> Let me know if any more details are required..
>

> Cheers.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

My standard Subversion installation is based on:
-apache mod_dav_svn mod_authz_svn
-mod_authn_kerb (mod_auth_kerb patched by me inspired on mod_authn_pam)
-svn <location> protected by HTTPS mod_ssl
-svnmanager.org php webapp to manage svn access/repository (patched by
me to get both Kerberos and "external" users in .htpasswd file)
-websvn.tigris.org php webapp for better repository browsing
Main advantages are:
-external collaborators don't need to be in our Kerberos
-there are no filesystem ownership/acl headaches or svn running as root
because all svn files are owned by apache user
-svn external users management can be delegated to Svnmanager admins.

Regards
Valerio Pulese