I need to implement a solution to secure SVN access using two factor authentication. Ideally I'd like to use Google Authenticator along with Basic auth. How would I proceed with implementing such a solution?
I'm considering developing a web proxy page that must first be authenticated to through a browser and once authenticated, follow on SVN commands would pass through. Does this seem feasible or is there a better solution?
Thanks!
These directions will work for Ubuntu 12.04. I should note that these directions were pulled from several different sources across the web. There was no definitive guide for getting this setup.
First, install updates and C/C++ compiler if it doesn't exist already:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install build-essential
Install Subversion and Apache:
$ sudo apt-get install subversion
$ sudo apt-get install libapache2-svn apache2
Enable SSL:
$ sudo a2enmod ssl
$ sudo vi /etc/apache2/ports.conf
In the open file change "NameVirtualHost *" to "NameVirtualHost *:443"
Generate Certificate:
$ sudo apt-get install ssl-cert
$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Accept the localhost value for the cert by hitting enter
Create Virtual Host:
$ sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/svnserver
$ sudo vim /etc/apache2/sites-available/svnserver
In the open file change VirtualHost * to VirtualHost *:443
Add the following below the ServerAdmin tag in the opened file and then save and close:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
Enable the site:
$ sudo a2ensite svnserver
$ sudo vi /etc/apache2/apache2.conf
Add the following line to the open file, save, and close:
ServerName localhost
Restart Apache:
$ sudo /etc/init.d/apache2 restart
Adding a repository to SVN:
$ sudo mkdir /var/svn
$ REPOS=myFirstRepo
$ sudo svnadmin create /var/svn/$REPOS
$ sudo chown -R www-data:www-data /var/svn/$REPOS
$ sudo chmod -R g+ws /var/svn/$REPOS
Repeat everything but mkdir /var/svn to create additional repositories
Google Authenticator
Install PAM and download and build Google Authenticator:
$ sudo apt-get install libpam0g-dev
$ cd ~
$ sudo wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
$ sudo tar -jxf libpam-google*
$ cd libpam-google*
$ sudo make install
Google Auth Apache Module
Download and install Google Auth Apache Module:
$ wget https://google-authenticator-apache-module.googlecode.com/files/GoogleAuthApache.src.r10.bz2
$ sudo tar -jxf GoogleAuthApache.src.r10.bz2
$ cd google-authenticator*
$ sudo apt-get install apache2-prefork-dev
$ sudo vi Makefile
in the opened file, change line 1 to:
APXS=apxs2
then change line 7 to point to the location to install and save and close the file:
install: all
sudo cp .libs/mod_authn_google.so /usr/lib/apache2/modules/
Replace mod_authn_google.c with the code from r21 on the project site here: https://code.google.com/p/google-authenticator-apache-module/source/detail?r=21 (this is when true two-factor auth was added)
$ sudo make install
Setup two factor auth in Apache:
$ cd /etc/apache2/
$ sudo mkdir two-factor
$ sudo vi httpd.conf
Add the following line the opened file, save, and close:
Loadmodule authn_google_module /usr/lib/apache2/modules/mod_authn_google.so
$ sudo vi ports.conf
In the open file change to
$ cd /etc/apache2/mods-available
$ sudo vi dav_svn.conf
In the open file add the text below, save, and close:
<Location /svn>
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName "Google Authenticator Code"
AuthBasicProvider "google_authenticator"
Require valid-user
GoogleAuthUserPath /etc/apache2/two-factor/
GoogleAuthCookieLife 3600
GoogleAuthEntryWindow 2
SSLRequireSSL
</Location>
Restart Apache:
$ sudo /etc/init.d/apache2 restart
At this point SVN, Apache, and Google Authenticator are configured. Now users can be added.
Adding Users
First, users need to be added as a system user so they show up appropriately in the Google Auth client
$ sudo adduser firstName.lastName --force-badname
$ sudo su - firstName.LastName
# google-authenticator
Google Authenticator will ask several questions. These should be reviewed based on the environment this is being deployed to.
Copy the URL that is printed after answering the first question - this is the URL for the QR code and used to add the key to your Google Auth client
# exit
$ cd /etc/apache2/two-factor
$ sudo cp /home/firstName.lastName/.google_authenticator firstName.lastName
$ sudo chown -R :www-data /etc/apache2/two-factor/
$ sudo chmod g+r firstName.lastName
$ sudo vi firstName.lastName
Modify the opened file to include a line similar to the below line, save, and close:
" PASSWORD=myTestPassword
Everything should now be configured. To login, browse to the URL and use the username, and password + 6 character Google Authenticator code.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With