I have a requirement to prevent external access to a repository without authorization. Does the username/password in the servers section of settings.xml work with Basic Auth? Are there other authentication methods that can be utilized?
The situation is this: - The company is primarily a MS shop, and uses AD, which I believe is LDAP, as their user datastore. - Company policy absolutely prevents non-company hardware from being directly connected to the internal network, including via VPN. - There are approximately 70 developers working on this project, split fairly equally among internal company employees, on site contractors who aren't allowed to connect to the internal network, and offshore developers. - SCM is subversion fronted by apache that hits LDAP for auth - The proxy that I'm using to mirror "central" must be accessible to all developers. Currently, it resides on the internal company network which prevents 60% of the developers from reaching it because they're either offshore or using hardware from their consulting firm. - Equipment exists to host the release and snapshot internal repositories on the company DMZ, as well as the proxy, but both services must require authorization against LDAP. - It is a requirement that artifacts be deployable without user interaction, including specifying usernames and passwords. It is allowable (and desireable) to have credentials in the settings.xml file, though. - To cap all of this off, most or all of the equipment that we're discussing is being consolidated to the parent facility soon, but I'm just throwing that problem into the mix for the sympathy vote. :) I've already had all the discussions about the issues surrounding the fact that legions of the company's developers aren't allowed access to My plan is this: 1. Run a proxy or series of proxies fronted by apache using Basic Auth connected to the internal company user datastore. 2. Run an ftp server as the means for deployment to the internal release and snapshot repositories and have the proxy point to the ftp directories. The ftp server would also need to validate against the interal company user datastore I would prefer to use ssh for security reasons, but my experience with deploying via ssh has produced the (possibly delusional) view that the only way to do so is to have everyone generate a keypair and install them on the ssh server. This would be a significant administrative headache due to the number of developers and their geographic dispersion. I'm not a security expert, so is there another SSH-ish or SSH-based solution that someone has used that would allow us to specify all the credential information in an individual users settings.xml file to do unprompted deployment? It would need to not require that an administrator manage some authorized_keys2 file, so that user access could be granted and revoked using the centralized user datastore and in order to improve on the ftp solution would need to encrypt keys. I had considered having a single private key and distributing that, and changing the key every time someone's authorization was removed, but that seemed very problematic to me. Thanks, Mykel -- I'm just an unfrozen caveman software developer. I don't understand your strange, "modern" ways.
