[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Add FAQ item regarding ssh forwarding

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2002-08-30 21:33:50 CEST

Justin Erenkrantz <jerenkrantz@apache.org> writes:
> I'm not 100% sure we want to mention this, but if we do, here's
> a FAQ entry. -- justin

It's come up before, so I think it's worth mentioning. +1 on
committing it.

-K
 
> * www/project_faq.html: Add question/answer about paranoid admins.
>
> Index: www/project_faq.html
> ===================================================================
> --- www/project_faq.html
> +++ www/project_faq.html Fri Aug 30 11:45:40 2002
> @@ -33,6 +33,8 @@
> <li><a href="#repository">How do I create a repository? How do I
> import data into it?</a></li>
> <li>What if I'm behind a proxy?</li>
> +<li><a href="#paranoid">My admins don't want me to have a HTTP server for
> + Subversion. What can I do if I still want remote usage?</a></li>
> <p>
> <strong>Troubleshooting:</strong>
> </p>
> @@ -302,6 +304,73 @@
> </pre>
>
> <p>and maybe the proxy will let you through.</p>
> +
> +<![CDATA[=========================================================]]>
> +
> +<h3><a name="paranoid"/>My admins don't want me to have a HTTP server for
> + Subversion. What can I do if I still want remote usage?</h3>
> +
> +<p>If you previously used CVS, you may have used SSH to login to the
> +CVS server. The preferred solution would be to use ra_dav combined
> +with an Apache HTTP server configured with mod_ssl and appropriate
> +authentication support. This should provide enough security for most
> +users. However, we realize that there are places that do not allow
> +adding servers of any kind with external connectivity.</p>
> +
> +<p>There has been work on a ra_pipe implementation that would work
> +similarly to the CVS_RSH mechanism, but it is not currently complete.
> +If you wish to contribute to its development, you are more than
> +welcome to do so!</p>
> +
> +<p>However, another solution that can be used instead is to leverage
> +SSH port forwarding to connect to the protected server via ra_dav.
> +You would connect via SSH to a machine behind your firewall that can
> +access your Subversion server. Note that this SSH server does
> +<b>not</b> have to be the same as where Subversion is installed. It
> +can be, but it doesn't have to be.</p>
> +
> +<p>Then, you create a local port forward that connects to the HTTP
> +server that houses your Subversion repository. You would then
> +'connect' to the Subversion repository via this local port. Then,
> +the request will be sent 'tunneled' via SSH server to your Subversion
> +server.</p>
> +
> +<p>An example: a Subversion ra_dav setup is behind your company firewall
> +at 10.1.1.50 (call it svn-server.example.com). Your company allows SSH
> +access via publicly accessible ssh-server.example.com. Internally, you
> +can access the Subversion repository via
> +http://svn-server.example.com/repos/ours.</p>
> +
> +<p><i>Example</i>: client connecting to ssh-server with port-forwarding
> +and checking out via the port forward</p>
> +
> +<pre>
> +% ssh -L 8888:svn-server.example.com:80 me@ssh-server.example.com
> +% svn checkout http://localhost:8888/repos/ours
> +</pre>
> +
> +<p>Note that your svn-server.example.com could also have its httpd
> +instance running on an unpriviliged port by a non-trusted user. This
> +will allow your Subversion server not to require root access.</p>
> +
> +<!-- Can you use svn switch to switch your WC between your internal and
> + external Subversion server? I think so. -->
> +
> +<p>Joe Orton notes</p>
> +<pre>
> +The server is sensitive to the hostname used in the Destination header
> +in MOVE and COPY requests, so you have to be a little careful here - a
> +"ServerAlias localhost" may be required to get this working properly.
> +</pre>
> +
> +<p>Some links on SSH port forwarding</p>
> +<ul>
> +<li><a href="http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html"
> +>http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html</a></li>
> +<li><a href="http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/"
> +>http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/</a></li>
> +<li>TTSSH: A Win32 SSH client capable of port forwarding</li>
> +</ul>
>
> <![CDATA[=========================================================]]>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Aug 30 21:53:50 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.