[MINC-development] MINC and Subversion

[Andrew Janke]

> Now that I look it up, LDAP isn't necessary: apache_auth_pam would be
> happy to use the NIS accounts.
>
> SSL server I said and meant it.  SSL client certs I think is way
> overkill and was just pointing out that you can do whatever you want.
> Users logging in to SVN via http using their NIS accounts will be
> sending their BIC account info in plaintext across the internet.  Not
> really a great idea, IMHO - thus SSL server to encrypt the communication
> channel such that the account info is sent securely.
>
> As to how to handle internal and external users together: BIC accounts
> (NIS) for internal users and a separate htpasswd-type file for the
> external users should be fine.  You can load more than one auth module
> into apache, and if you use an auth block that's something like:
>
> AuthType Basic
> AuthName "secure area"
> AuthPAM_FallThrough on
> AuthUserFile /path/to/apache/passwd/passwords
> AuthGroupFile /path/to/apache/passwd/groups
>
> require group coders
> require valid-user
>
> Then it will try PAM (in our case, NIS) and if the user doesn't appear
> in NIS then it will fall through to the specified htpasswd-managed user
> and group files.

Thanks for this, all good food for thought, however I doubt that
certain individuals (JF! you aren't on MINC dev are you? :) would
agree to mixing NIS with apache, call it paranoia, I know myself I am
not keen on this.  But there is like a good compromise, do you know if
it is possible to limit module use to an subnet?

What I am thinking of is the following:

   1) we use svn + webDAV

   2) Access is via .htpasswd first and failing that, NIS+PAM+SSL

   3) BUT! restrinct NIS+PAM+SSL to the BIC subnet only as is NIS currently

I also realise that .htpasswd is not all that secure (but quite secure
enough).  Is there a slightly better version of .htpasswd that works
in this instance via SSL?  Or is .htpasswd + SSL enough?

ta


a