[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Add FAQ item regarding ssh forwarding

From: Justin Erenkrantz <jerenkrantz_at_apache.org>
Date: 2002-08-30 20:47:39 CEST

I'm not 100% sure we want to mention this, but if we do, here's
a FAQ entry. -- justin

* www/project_faq.html: Add question/answer about paranoid admins.

Index: www/project_faq.html
--- www/project_faq.html
+++ www/project_faq.html Fri Aug 30 11:45:40 2002
@@ -33,6 +33,8 @@
 <li><a href="#repository">How do I create a repository? How do I
     import data into it?</a></li>
 <li>What if I'm behind a proxy?</li>
+<li><a href="#paranoid">My admins don't want me to have a HTTP server for
+ Subversion. What can I do if I still want remote usage?</a></li>
@@ -302,6 +304,73 @@
 <p>and maybe the proxy will let you through.</p>
+<h3><a name="paranoid"/>My admins don't want me to have a HTTP server for
+ Subversion. What can I do if I still want remote usage?</h3>
+<p>If you previously used CVS, you may have used SSH to login to the
+CVS server. The preferred solution would be to use ra_dav combined
+with an Apache HTTP server configured with mod_ssl and appropriate
+authentication support. This should provide enough security for most
+users. However, we realize that there are places that do not allow
+adding servers of any kind with external connectivity.</p>
+<p>There has been work on a ra_pipe implementation that would work
+similarly to the CVS_RSH mechanism, but it is not currently complete.
+If you wish to contribute to its development, you are more than
+welcome to do so!</p>
+<p>However, another solution that can be used instead is to leverage
+SSH port forwarding to connect to the protected server via ra_dav.
+You would connect via SSH to a machine behind your firewall that can
+access your Subversion server. Note that this SSH server does
+<b>not</b> have to be the same as where Subversion is installed. It
+can be, but it doesn't have to be.</p>
+<p>Then, you create a local port forward that connects to the HTTP
+server that houses your Subversion repository. You would then
+'connect' to the Subversion repository via this local port. Then,
+the request will be sent 'tunneled' via SSH server to your Subversion
+<p>An example: a Subversion ra_dav setup is behind your company firewall
+at (call it svn-server.example.com). Your company allows SSH
+access via publicly accessible ssh-server.example.com. Internally, you
+can access the Subversion repository via
+<p><i>Example</i>: client connecting to ssh-server with port-forwarding
+and checking out via the port forward</p>
+% ssh -L 8888:svn-server.example.com:80 me@ssh-server.example.com
+% svn checkout http://localhost:8888/repos/ours
+<p>Note that your svn-server.example.com could also have its httpd
+instance running on an unpriviliged port by a non-trusted user. This
+will allow your Subversion server not to require root access.</p>
+<!-- Can you use svn switch to switch your WC between your internal and
+ external Subversion server? I think so. -->
+<p>Joe Orton notes</p>
+The server is sensitive to the hostname used in the Destination header
+in MOVE and COPY requests, so you have to be a little careful here - a
+"ServerAlias localhost" may be required to get this working properly.
+<p>Some links on SSH port forwarding</p>
+<li><a href="http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html"
+<li><a href="http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/"
+<li>TTSSH: A Win32 SSH client capable of port forwarding</li>

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Aug 30 20:48:26 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.