On Thu, 21 Sep 2006, Nathaniel Irons wrote:
> We're moving away from SSH tunnels for svnserve, because we're adding
> svn users who don't have SSH access to the server. I thought using
> svnserve's own authentication would be superior to managing SSH keys
> and a dedicated subversion user.
I would make the opposite decision.
> We also appreciate having check-ins tagged with a user name, which I
> don't think is possible with a single-SSH-user scheme.
It's easy, but for some reason this doesn't seem to be well known.
Just add --tunnel-user=USERNAME to the arguments that sshd passes to
svnserve, as defined in the "command=" part of the line in the dedicated
subversion user's .ssh/authorized_keys file.
Assuming you use openssh on unix, or something with a similar
configuration file:
1. Create a dedicated user to own the repository or multiple
repositories. For example, user "svn", group "svn", home directory
/home/svn.
2. In the user's home directory, create a directory to contain
the repositories. For example, {mkdir /home/svn/repos}. Each
repository will be contained in a subdirectory of this directory.
3. Create a repository using svnadmin. For example, {svnadmin create
/home/svn/repos/reponame}.
4. Create a .ssh directory, for example {mkdir /home/svn/.ssh}.
5. In the .ssh directory, create an authorized_keys file. In the
file, put one line per authorised user. Each line will contain an
ssh public key, preceded by several additional parameters. The
line will end up looking like this (broken onto several lines for
readability here, but in reality it must be all on one one very
long line):
command="/path/to/svnserve -t --tunnel-user=EXAMPLEUSER -r
/home/svn/repos",no-port-forwarding,no-agent-forwarding,no-pty
ssh-dss AAAABBBBexamplesshkeyEXAMPLESSHKEY== examplecomment
6. The authorised users should now be able to access the repository
using URLs like "svn+ssh://svn@server.example.org/reponame".
However, a bug in the subversion client or libraries sometimes
causes the "@" in the URL to gets misinterpreted as marking a
peg revision instead of marking a user name. If that happens,
then configure the ssh client so that you can use URLs like
"svn+ssh://example-org-svn/reponame". If you use the openssh
client, add an entry like this to $HOME/.ssh/config for each user:
Host example-org-svn
Hostname server.example.org
User svn
--apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Sep 22 09:14:25 2006