• Services
• Club Subversion

Setting It Up

Required Packages

• apache2
• libapache2-mod-auth-kerb
• libapache2-svn
• openafs-client (since we're currently keeping the repository in AFS)
• subversion

Configuration

HTTP with Kerberos Authentication

Extract the service keytab for HTTP.

# kinit $USER/admin
# kadmin ext -k /etc/apache2/krb5.keytab HTTP/`hostname`
# chown root:www-data /etc/apache2/krb5.keytab
# chmod 640 /etc/apache2/krb5.keytab

The auth_kerb module needs to know where the service keytab is. Specify this in /etc/apache2/mods-available/auth_kerb.conf.

# Keytab File
Krb5Keytab                      /etc/apache2/krb5.keytab

Get the correct symlinks in /etc/apache2/mods-enabled.

# a2dismod auth_kerb
# a2enmod auth_kerb

Subversion WebDAV

The options for the Subversion WebDAV module are to be set in <Location> blocks for the URI the repository should be accessible by. There should be one in a vhost without SSL, and a second in a vhost with SSL.

The options of interest are, that will be in both blocks are:

Dav

set this to svn, to indicate the Subversion WebDAV module should be used

SVNPath

set this to the location of the subversion repository being served

AuthzSVNAccessFile

set this to the location of the authorization configuration file (usually will be SVNPath + /conf/authz)

The options that should only go in the block on the SSL-enabled vhost are (since passwords may otherwise be transmitted in clear text):

AuthType

set this to Kerberos

AuthName

set this to some name for the repository

Require

set this to valid-user; the subversion authorization module will take care of the real details

Running Apache with Tokens

Oh no, I think I've encountered PAG woes. Woe is me. Woe.

PAGs + PAM = Woe.

Using It

We have a subversion repository, running on svn.club.cc.cmu.edu. It is accessable read-only through http, and read-write through https. We use mod_auth_kerb to allow kerberos authentication for club users.