Re: SVN MFA

Tue, 22 Apr 2025 11:17:45 -0700 

Hi,
I have rather simple implementation plan, to handle a special response with a 2fa challenge in cli, or by opening a browser window for auth, than storing the session cookie next to usual svn credentials I wrote up my plans in the dev mailing list, I'm happy to further discuss it, before I submit my first implementation 


For the server side, I'm working out of this doc: 
https://github.com/itemir/apache_2fa
Sharing a secret is a little fishy, but the basic idea is written up 
correctly


Do you think this won't work?


I'd love to hear about 2FA systems svn users would like to use, because 
that might steer my solution to a slightly different direction


Best regards,
Peter

On 2025. 04. 22. 17:56, Mark Phippard wrote:

Supporting this from a CLI is next to impossible. I would look at how
it is done with Git and see if it is possible to make the SVN CLI
directly use the Git Credential Manager:
https://github.com/git-ecosystem/git-credential-manager

You would then need to work backwards from there to an Apache solution
that goes with this. I think this mainly needs setting the
WWW-Authenticate header and then accepting a token back for
authentication. The Credential Manager will handle the process of
authenticating via MFA and getting back the token.


On Tue, Apr 22, 2025 at 11:49 AM Peter Balogh <pe...@svnplus.com> wrote:

Hi,

Andreas can you please share more about this?
I've been looking for a solution for this for a while, but I only found
hacks like when entering your password, also add your OTP at the end
every time you do an svn operation
Is a modern OTP or Oauth authentication possible with httpd and the svn
clients, that's not inconvenient or weird?

Best regards,
Peter

On 2025. 04. 22. 17:29, Andreas Stieger wrote:

Hello,

On 2025-04-22 16:37, Prasu S wrote:

Our team is using SVN as a version control tool for source code. We
are looking into implementing MFA. Does SVN have built-in MFA
capabilities? If so, can you please point me to the documentation? I
appreciate any help you can provide.


Apache Subversion (mod_dav_svn) supports all authentication options
supported by or built for Apache httpd. That includes multi-factor,
various mobile app authenticators, enterprise SSO and SSL client
certfs. Start reading there. The point is that it is not built into
svn but httpd.

Andreas
























					Reply via email to