On Mon, 2006-02-20 at 12:28 +0200, Ilias Lazaridis wrote: > * User and Group accounts should be centralized in the overall project > * other tools should use them, too - e.g. SVN access > * keep administration simple and highly secured (e.g. SSH key only)
Let me explain what I have done; perhaps it will suit your needs as well. If you (or others) are interested, I'll write up how I've gotten all this working. It is not particularly difficult, but I couldn't find any good explanations of how to do it on the web... I have trac and subversion both working through Apache. (I'm using Apache 2.2.0, so I'm using trac as a CGI rather than through mod_python -- so far it seems plenty fast enough.) All authentication for trac and Apache is done through HTTPS, with client SSL authentication. I have set up a personal certification authority for the purpose. There is no basic http authentication involved at all, so no need to monkey around with .htpassword files or anything like that (and no need to worry about passwords flying over the network in essentially cleartext). As a result: - no operating system account needs to be created for each user, which I believe strengthens the security model on the server; - after a one-time SSL certificate setup, users are automatically authenticated to trac because their SSL key resides in their web browser; - users are automatically authenticated to subversion as well, because the subversion client program is configured to be aware of their SSL key as well; - because SSL is used for all communications, everything is as secure as it would be with SSH -- keeping in mind that OpenSSH relies on OpenSSL for all of its cryptographic operations. Other project-related tools that can be accessed through Apache could also be secured using the same mechanism, of course. Right now I have this set up in a very simplistic way: anonymous access is permitted through http (or through https without a client certificate). Anonymous users are not able to change subversion, but have the standard set of anonymous permissions in trac. Authenticated users have full permissions in subversion and enhanced capabilities in trac. I believe (but have not looked into) that a standard subversion authorization file could be used via mod_authz_svn so that any arbitrary set of subversion permissions could be set up easily. Of course, the normal method of assigning trac permissions works fine using this scheme. -- Brett Neumeier <[EMAIL PROTECTED]> _______________________________________________ Trac mailing list [email protected] http://lists.edgewall.com/mailman/listinfo/trac
