[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: John Peacock <john.peacock_at_havurah-software.org>
Date: Tue, 26 Aug 2008 09:37:08 -0400

Vincent Lefevre wrote:
> Information given in this file is a bit incorrect. Yesterday I tried
> what is said (note: I also have a normal shell account, but just wanted
> to use the --tunnel-user feature to be able to see from what machine I
> do the commits), with no success, and I spent a few hours to determine
> what was going on. The problem is that
>
> ssh -i /path/to/private/key/file
>
> will not necessarily select the specified key.

I use it all the time and it works fine. What the ssh-tricks file
doesn't make obvious is that you have to use *both* a dedicated key[1]
*and* specify the username for the svnserve user that isn't the same as
your own account name on that box. Without that second step, ssh will
helpfully log you into your shell account (since that key will be
available and match) and not the svnserve account (which would only
match the keyfile passed on the commandline).

So the steps are these:

1) create an account that runs svnserve (and owns the repository files),
named 'svn' for demonstration purposes;

2) append your public key to the 'svn' user's authorized_keys file with
the appropriate extra bits:

> command="/path/to/svnserve -t -r /repository/root --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1

(that's all on one line without the leading '> ' obviously)

3) reference the repository URL with the local-to-the-repo username

        $ svn co svn+ssh://svn@server/path/to/project

(or see below).

HTH

John

1) Actually, the 'ssh-tricks' file is incorrect in that you don't have
to have a dedicated ssh key for svnserve purposes (though that is
strongly recommended). As long as you specify the username to log in as
(either as part of the URL or with the '-l' ssh option), you can use the
same identity file for both purposes.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-26 15:37:33 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.