Looking for Subversion server-side SSH key manager

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Morning, folks:

Subversion has long had a fundamental flaw in its Linux or UNIX
command line clients: like CVS, from which it evolved, it stores
passwords locally in the clear on the client side. Using SSH or HTTPS
authentication does not address this. Many good clients, such as
TortoiseSVN, use the local operating system's password storage, but
for CygWin or Linux or UNIX clients, it's an amazingly fundamental
security problem.

The remaining more securable approaches are basically SSH based: the
"svn+ssh" approach normally has a designated SSH user on the server,
with SSH public keys stored under a particular account name on the
server (http://svnbook.red-bean.com/en/1.0/ch06s03.html ), with the SSH
keys set to restrict the operations usable by that shared account.

That's fine, but leaves the problem of "how do authenticated users
change or add new keys"?  So I'm looking for an SSH key management
tool. Ideally a simple web GUI to allow a set of authenticated users
(such as Active-Directory or Kerberos based password web
authentication) to be able to set new SSH keys. Upload is fine: but
given the presence of Windows users and the interactions of Pageant
generated SSH keys, I think that downloading the private keys would be
easier, and would allow forcing the user to have a passphrase based
key at least to start out with.

Does anyone have such a tool already built, or something close to it?

Re: Looking for Subversion server-side SSH key manager

Zawartość nagłówka ["Followup-To:" comp.os.linux.security.]
Quoted text here. Click to load it

Erm. How would you like to store Subversion password? Subversion must be
able to read it. If the password is encrypted in any way, Subversion
must ask user for decryption key. Otherwise everything could be stored
as plain text, since "encryption with publicly known key" is no
encryption at all. "Windows password storage", whatever are you talking
about, is affected exactly by the same facts. It's just a matter of
reading appropriate object from the system.

Secunia non olet.
Stanislaw Klekot

Site Timeline