On 8/11/13 2:07 AM, Chad Perrin wrote: > So . . . let's say I have a server (running FreeBSD, and I'll probably > be setting this up in a jail) and a router that can forward ports > (already has SSH forwarded to this server). For argument's sake, let's > say we're confined to only one port per protocol. What's the quick/easy > way to get Fossil set up so a small team can push/pull/sync multiple > Fossil repositories on the server without having shell accounts? The > connection should be encrypted so that nobody can sniff usernames and > passwords when people are syncing, the users should preferably all be > using different credentials (not the same username/password combination, > in other words), and I should not have to pay any money to any third > parties (ISPs, certifying authorities, et cetera) as part of this.
I have been using a combination of self-signed certificates, apache and fossil for a long time and have been very happy with it. (Apache is configured to only allow connections with full certificate chain verification). apache is configured to set REMOTE_USER to the CN-field of the certificate's subject, and the fossil repository is configured to get username from REMOTE_USER. So the only thing the users need to do is to place the CA, their certificate and key in a Good Place, and then set up fossil to use them. If the users will be accessing the web ui via a web-browser they will need to make the appropriate configurations to their web browsers as well. The users don't have to enter a password other than to unlock their local private key. (As a matter of policy; if they have the key on encrypted partitions they don't even have to do that). I use apache's access management tools to configure which users/groups can access which repositories. The only part of the whole configuration which I found to be annoying was the generation of certificates/keys (the openssl command line tool and online manual is at times very unfriendly). Other than that, it was pretty much a breeze. If this is something you're interested in, then I can post more detailed instructions on how to set it up. /Jan _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
