On Mon, Feb 22, 2021 at 3:25 PM Yasuhito FUTATSUKI
<futat...@yf.bsdclub.org> wrote:
>
> Hello,
>
> On 2021/02/23 2:40, CoolCold wrote:
> > Good day!
> > (please CC me, I'm not subscribed to the list)
> >
> > A bit of context:
> > I was using subversion to store my serves' configs versioned for
> > almost a decade, with bash wrapping around it. Simplified, it had repo
> > per server name, wrapper called by cron to checkout, rsync over,
> > commit changes back, sending email on diffs (
> > https://github.com/coolcold/svnbackup ). Had no issue with it, when
> > password store was enabled. It's runned under root user and saved
> > credentials are not exposed to non-admin users on the system.
> >
> > Issue: with recent changes hitting packages in distributions (
> > https://marc.info/?l=subversion-commits&m=154101482302608&w=2 ), that
> > seems to be not possible anymore.
> > I did adjust my script to use command line switch --password, but this
> > makes it visible for anyone who does simple commands like ps aux.
> > I've tried to look around for possible support of environment
> > variables / password file support, but couldn't find any except some
> > old proposals like
> > http://subversion.1072662.n5.nabble.com/Feature-proposal-SVN-USERNAME-and-SVN-PASSWORD-environment-variables-td180031.html
> >
> > Rebuilding subversion from source is not an option for many reasons.
> >
> > Seeking for your help on this, what is the proper way of doing this
> > with recent versions?
> > Thanks in advance.
>
> For this purpose, I'm just using svn+ssh:// with dedicated user on
> server side and public key authentication with empty pass phrase.
>
> e.g. svn+ssh://svn-ag...@svnhost.example.org/repo/
>
> On svnhost.example.org, authorized_key file for user svn-agent could be:
> [[[
> # only for svn agent via ssh. all lines shoud be started with following
> # command and option specification:
> command="/usr/bin/svnserve -t -r /base/path/to/repo
> --tunnel-user=root-on-hostA",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> ssh-ed25519 (public key A) r...@hosta.example.org
> command="/usr/bin/svnserve -t -r /base/path/to/repo
> --tunnel-user=root-on-hostB",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> ssh-ed25519 (public key B) r...@hostb.example.org
> ...
> ]]]
>
> Cf.
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
>
> If you want to use ssh key other than default key or alternative tcp port
> other than 22, you can use them by overriding ssh tunnel setting with SVN_SSH
> environment variable or config file, etc. (Of course, if you want to use non
> standard port for ssh connection you also need to change configuration of
> sshd on server side).
>
> Cheers,
> --
> Yasuhito FUTATSUKI <futat...@yf.bsclub.org>
