Hi, Den mån 31 mars 2025 kl 13:09 skrev Peter Balogh <pe...@svnplus.com>:
> Hi, > > I'm working on a proof of concept to add multi factor authentication to > subversion > I have multiple directions, and I'd like to get some feedback from this > group before I head down the wrong road > Please let me know, if I should read up on any of these, I did not find > any recent conversation about these topics > I think this is a very interesting concept! > > 1. One option would be to extend the existing Basic auth with another > challenge. This would support standard TOTP without external connections > I couldn't find any standard way to communicating this through HTTP, my > best solution would be to > > 1.A extend the 401 response with information that the system also needs > a TOTP token > I've only found the realm string I can use for this without modifying > the serf library > > 1.B reject the username + password attempt with a different 401 > This would have to be handled inside the serf library > I don't see a problem modifying Serf if it is needed. Several of the Subversion committers are also Serf committers and we can help there. > > 2. Provide an external login path instead Basic auth. This would open up > using oauth or similar external providers, but a web based provider > could be run besides svn as well > The server would respond with a 30X response, and the cmdline could > print the url for the user to open, login and return to the terminal > after authentication > This would feel less native, but pretty common these days > I like this idea - I guess this would open up to for example Microsoft Entra. Make sure to use the standard baton/callback method to communicate the redirect URL to the client. This way GUI clients (for example TortoiseSVN) can implement a more "native" solution to the redirect. > > All of the solutions above would result in a HTTP cookie that would be > stored encrypted in the auth folder, and sent with every subsequent request > See existing discussions about storing the basic auth password in the auth folder. On Windows, there are APIs to encrypt the password linked to the user profile. In general no such on Unix, but I assume it could be stored in Gnome Keyring/Kwallet/GPG-agent. > > Do you have any thoughts or preferences about this? > Do you see any technical or security issue with these? > I know very little about the technical details of authentication on the http level but I think it would be god to adhere to existing standards as much as possible instead of inventing something unique to Subversion. For example it would be good if this can be done across a forward/reverse proxy. If this feature is enabled on a server, it would be impossible to authenticate with an older client. Don't know if this is a compatibility concern or not, but I think this addition would warrant new releases. Kind regards, Daniel
