May 19, 2008

Kerberized WebDAV Subversion

I recently switched to using kerberos with apache and DAV for auth on svn.evil.ie. I use Heimdal kerberos on my servers (running ubuntu), but the configuration should be pretty similar for MIT-KRB5.

Install some packages:
$ apt-get install libapache2-mod-auth-kerb libapache2-svn

Enable the modules:
$ a2enmod dav dav_svn auth_kerb

Extract a keytab for HTTP/your.host.name:

$ ktutil -k /etc/apache2/http_svn.keytab get HTTP/your.host.name

Make sure your apache user can read the keytab:

$ chown root:www-data /etc/apache2/http_svn.keytab
$ chmod 640 /etc/apache2/http_svn.keytab


Add the necessary bits to your apache config.

<Location /svn>
    Dav svn
    SVNPath /usr/local/svn
    <LimitExcept PROPFIND GET OPTIONS REPORT>
        AuthName "Authentication Required"
        AuthType Kerberos
        KrbAuthRealms YOUR.REALM
        KrbServiceName HTTP
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        Krb5Keytab /etc/apache2/http_svn.keytab
        Require valid-user
    </LimitExcept>
</Location>


Using LimitExcept as above allows anonymous reading of the repository - commits will require auth. If you're not ok with unauthenticated people accessing the repo, you should remove the LimitExcept tags.
KrbMethodK5Passwd on will prompt for a password if you don't have valid kerberos credentials.
The apache user requires write access to SVNPath or write operations will fail. Use of ssl is recommended at all times :)

Individual/group read/write access can be further restricted using the AuthzSVNAccessFile directive, though your auth file should specify usernames in the format username@YOUR.REALM, as mod_auth_kerb will get the kerberos principal with the realm attached.
i.e:

[/]
*@REALM = r
joeuser@REALM = rw
Posted by Niall at 7:49 PM
Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)