• SystemAdministration
• Systems
• Svn

• To Systems Overview

---

Systems - SVN

Basics

Purpose

The svn server, svn.cacert.org, serves as a version controlled repository for:

• Events
• Policy development
• Documentation
• and a bit of source code (to be moved to dev.cacert.org)

Physical Location

This system is located on a Debian Squeeze LXC container on physical machine Infra01.

Logical location

IP: 172.16.2.15 svn.intra.cacert.org

HTTP: via Tunix port forwarding associated with svn.cacert.org:443 and svn.cacert.org:80

Applicable Documentation

Team Leaders/ Officers control access to various parts of the repository

Administration

System Admin:

• Primary: Jan Dittberner

Services

Listening services

• port	service	access origin	purpose
  80	HTTP	ALL	web access point via HTTP (managed by Tunix)
  443	HTTPS	ALL	https write access via webdav and HTTPS read access (svn.cacert.org and cert.svn.cacert.org require client certificate authentication, nocert.svn.cacert.org is to allow username/password authentication)
  22	SSH	hopper	SSH access for remote administration, RSA host key fingerprint df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6

DNS

• A - svn.cacert.org
• CNAME - cert.svn.cacert.org
• CNAME - nocert.svn.cacert.org

Connected Systems

• Some connection to www.cacert.org as blog items show up there too.

Outbound network connections

• DNS (53) resolving nameserver 172.28.50.1
• emailout as SMTP relay
• ftp.nl.debian.org as Debian mirror
• security.debian.org for Debian security updates

Tasks

Access control

• Steps:
• Team Lead/Officer approval
• Apache digest password stored in /etc/apache2/dav_svn.passwd or Client certificates with matching E-Mail-Address in CN
• Access controls stored /etc/apache2/dav_svn.authz

Critical Configuration items

Apache configuration files

• /etc/apache2/sites-available/cert.svn.cacert.org

• /etc/apache2/sites-available/nocert.svn.cacert.org

• /etc/apache2/sites-available/default

Keys and Certificates

• /etc/apache2/ssl/svn.cacert.org.crt.pem server certificate (valid until May 17 18:35:10 2012 GMT)

• /etc/apache2/ssl/svn.cacert.org.key.pem server key

• /etc/apache2/ssl/cacert-certs.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

• /etc/apache2/ssl/cacert-chain.pem CAcert.org Class 1 certificate (certificate chain for server certificate)

/srv/svnrepo

The subversion repository

Changes

Planned

X509 Auth for policy

• Documentation Officer has endorced
• Waiting on Org-assurer word as to org-assurer policy stuff

Mail notifications

• commit hooks on policy to list?

References

• http://svnbook.red-bean.com/en/1.5/svn.reposadmin.html

• Client certs setup notes

• Setup notes for LXC container

Links

• https://svn.cacert.org/	client certificate authentication
  https://cert.svn.cacert.org/	client certificate authentication (alias)
  https://nocert.svn.cacert.org/	username/password authentication
  http://svn.cacert.org/	Read only access (as it was before)

---

CategorySystems