Características generales de las spin-off académicas del

The problem with password authentication under Apache is that it only keeps unauthorized users from accessing the repository, but does nothing to protect the data as it travels between the server and client. The casual user is prevented from going through your repository, but determined attackers will have no problems capturing data in transit. Therefore, in order

“svnbook” — 2005/4/14 — 14:55 — page 142 — #163

i i

142 Chapter 10 Administrating the Repository

to tack on an added layer of security, it is a good idea to also use the Secure Socket Layer (SSL) to encrypt all data that travels over the network.

The first thing you need to do when enabling SSL for Apache is to make sure that the

mod_ssl.somodule is loaded into Apache when it starts. This is accomplished in Apache by callingLoadModule ssl_module mod_ssl.sosomewhere in the Apache configura- tion files. In many cases, this will already exist in your base Apache install, but may need to have something defined in order to turn it on, such as by running Apache with a-D SSL

option.

After you have SSL enabled in Apache, you need to set your repository share to require the use of SSL for communications. This is done simply by adding the aSSLRequireSSL

statement to your repository<Location>. So, the repository location from earlier would become.

<Location /myrepos> DAV svn

SVNPath /srv/svnrepos AuthType Digest

AuthName "My Subversion Realm" AuthDigestDomain /myrepos/ AuthDigestFile /srv/svnrepos/svn-auth-file Require valid-user SSLRequireSSL </Location>

Creating an SSL Certificate

SSL works on a trust-by-association mechanism for securely ensuring a site’s identity. Any site that uses SSL will have a certificate that identifies the site (name, IP address, do- main, and so on). That certificate will then be digitally signed by a certificate authority that vouches for the certificate’s authenticity. That way, if someone attempts to intercept communications to your server by pretending to be you, he won’t have the proper signed certificate and the Web browser or Subversion client will warn the user that something is amiss.

Certificate authorities (CAs) come in two flavors. The first variety is the large commer- cial CA, such as Verisign or Thawte, which gives your certificate a wide trust base (for a hefty annual cost, in most cases). Then, there are locally created certificate authorities, usually generated for intranets, where trust can more easily be established. Additionally, you can also self-sign a certificate, which is by far the easiest approach to getting an SSL- protected server up and going, but it is also the most vulnerable to attacks that intercept data from clients and pretend to be your server (this is known as a man in the middle attack).

If you want to set up SSL on your Web server, you need to set up some sort of SSL certificate. Dealing with a commercial CA and creating your own intranet CA are beyond the scope of this book. The steps toward creating a self-signed certificate are fairly simple though. If the number of developers accessing your repository is small (especially if they’re all on an intranet), this is probably sufficient.

10.1 Controlling Access to the Repository 143

The first step toward creating a certificate is to generate a private key, which will be stored locally and not be accessible to anyone else. The key is generated by using the

opensslprogram, with thegenrsacommand. In its simplest form, the command takes the name of the encryption cypher to use (des3in the following example), the number of bits to use (at least 1024), and a file to output the key into. To improve the security of your key, you should also provide a source of random data to be used when calculating the key. The best source to use is/dev/random (assuming you’re on a UNIX-like machine that has a/dev/random); but if that is not available, you can also enter a file that has been otherwise populated with random data, or even a list of randomly chosen files from your system, separated by colons.

Whenopenssl genrsais run, it asks you for a passphrase, which protects your key from unauthorized users, even if the key itself is compromised. The downside to the passphrase is that it needs to be typed every time the Web server is started (which is likely undesireable). Therefore, you will probably want to remove the passphrase from the file and ensure that the resulting private key file is only readable by the root user, which you can do by running theopenssl rsacommand.

$ openssl genrsa -des3 -rand /dev/random -out svnsrv.key 1024 $ openssl rsa -in svnsrv.key -out svnsrv.pem

After you have your key generated, you need to generate a certificate request, which could then be sent to a certificate authority for signing, or you can self-sign it (as I’ll show you how to do shortly). To generate the certificate request, you need to run theopenssl reqcommand, and give it your key. When the command runs, it asks you a number of questions about who you are, which are then included as a part of the signed certificate (and sent to clients that are trying to verify the certificate’s authenticity). You can fill in as many or as few of the fields as you would like.

$ openssl req -new -key svnsrv.pem -out svnsrv.req

You are about to be asked to enter information that will be ¬

incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name ¬

or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank. ---

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Indiana Locality Name (eg, city) []:Terre Haute

Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:William Nagel Email Address []:

“svnbook” — 2005/4/14 — 14:55 — page 144 — #165

i i

144 Chapter 10 Administrating the Repository

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

After you’ve created the certificate request, you can then use that to create a self-signed certificate.

$ openssl req -x509 -days 365 -in svnsrv.req -key svnsrv.pem -out ¬

svnsrv.crt