On Monday, February 5, 2018 at 12:29:15 PM UTC+1, (unknown) wrote: > > Hello Stefan, tnks for your answer. > > Shortly, our internal security team asked us to move our svn server, > exposed on the internet at the moment, behind a firewall that require a > two-factor authentication: user and password, as usual, plus a 10-digit > numeric pin that changes every 60 seconds. > > Our change request for tortoisesvn concerns the possibility of inserting > the third field, besides user and password, which allows us to "trepass" > the 2FA of the firewall, and, obviously, disable credential saving. > Obviously we must also implement somethig that permit to tortoise to > "dialogue" with the firewall to make it accept the user / password / 2FA > values. FYI our firewall is a Fortigate. >
First: disabling the auth cache in TSVN would lead to a horrible user experience. You'd have to enter your credentials several times for even simple commands and dialogs. For example, many commands that you might think only do one thing actually contact the repository several times. Even for a simple update TSVN first asks the repository for the HEAD revision. Which means you'd have to enter your credentials twice for an update. And the repo browser would be completely unusable because for every folder in the repository a separate request is made to the repository. Second: Since the firewall and the repository are not on the same IP, handling this would itself be very unsafe. Meaning while you try to make it more secure you open up another security issue. Not really the best way to do this. Third: If you would consider configuring your firewall so that once a user is authenticated subsequent connections won't require re-authentication for I'd say at least an hour, then this could be done without a change to TSVN: you could implement a pre-connect hook script/exe. TSVN calls such a script before every connection to the repository: you could show a dialog in that script where the user has to enter the code for the FW, authenticate on the FW and return from the script. Then the normal connection and authentication on the repository is done the usual way. -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/168add0f-4679-4880-8146-aeb49cf4881a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.

