SVN on Apache2 over SSL using Shadow Authentication

18Jun09

Generally, you want to avoid sharing same account for web and system, because if the web account is compromised, the door to the system will be wide open. Not only that, basic authentication by Apache sends password in clear text, any packet sniffer can easily decipher the login credentials.

However, there are cases where authenticating against system users do make sense, like when you have SVN repository on the same server as your fileserver. You, or at least me, don’t want to maintain two separate user database for your SVN and fileserver. It’s bad enough that the samba account is using it’s own user database. Back to shadow authentication, fortunately there are ways to minimize the security risk in doing that. One, you can deploy SSL connection to the client. Two, you can leave the server unexposed to the rest of the world, keeping  it safe behind the firewall. If a remote connection is needed, use VPN.

Now that we got that out of the way, lets deploy some kick-ass SVN system:

To make your life easier, do the installation in steps, making sure that each installation works before proceeding to the next step. One minute of checking will save you hours of troubleshooting if something were to go wrong. Here’s the order that I got my system up:

  1. Install Apache2
  2. Enable SSL mod
  3. Install SVN
  4. Enable DAV mod
  5. Configure SVN over Apache
    For steps 1 to 5, I somewhat follow this guide
  6. Enable auth_shadow mod
    apt-get install libapache2-mod-auth-shadow
    a2enmod mod_auth
  7. Re-configure the SVN using shadow authentication
    #... omitted
    <Location /svn>
    DAV svn
    SVNParentPath /var/svn/repository
    AuthType Basic
    AuthShadow on
    AuthName "Subversion Repository"
    AuthBasicAuthoritative off
    AuthUserFile /etc/apache2/htpasswd
    Order allow,deny
    Allow from all
    <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
    </LimitExcept>
    </Location>
    #... omitted

For steps 6 and 7, I will give credits to http://www.howtoforge.com/apache_mod_auth_shadow_debian_ubuntu and http://adam.shand.net/iki/2008/apache_tips_and_tricks/ for giving me pointers.


Filed under: work   |  Leave a Comment
Tags: , , , , ,

No Responses Yet to “SVN on Apache2 over SSL using Shadow Authentication”  

Feed for this Entry Trackback Address
  1. No Comments Yet

Leave a Reply