[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Questions Re. Appendix G. Securing Svnserve using SSH

From: Jeff <jsbmsu_at_gmail.com>
Date: Wed, 16 Jul 2008 12:05:03 -0700 (PDT)

Okay, now I've been testing. Let's say my account is harry, and my
friend wants to go by sally. And let's say my repository is a
directory called repos/, located at:
/path/that/contains

So, I create a file /home/harry/.ssh/authorized_keys containing:
command="svnserve -t -r /path/that/contains/ --tunnel-user=sally",no-
port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
PUBKEY Sally-SVN

Now, if I do a checkout/commit on the URL "svn+ssh://
harry_at_server.myuniv.edu/repos/projectname/trunk", everything works as
expected. The log shows sally as the author of any modifications made
under this scheme. So, if Sally has the private key for PUBKEY, then
she'll be able to use my repository.

But what if there are multiple repositories in /path/that/contains? I
might want to restrict Sally from accessing one of them, and it has
been proposed by Simon (I think) that I accomplish this by using
svnserve.conf.

Well I don't really know how one goes about controlling just the
authorization after connecting via SSH. My thought was to try putting
"password-db = passwd" in svnserve.conf, but not having a line in
passwd for sally. That way it might try to enforce the user list, but
find no sally, and revoke an attempt to access via harry's SSH account
with --tunnel-user=sally. But this had no effect. Sally can still
connect just fine.

So is it even possible to control access to the repositories with
svnserve.conf under this SSH/public-key scheme? Or, (Simon) were you
implying that I have only a single repository and use an auth file to
controll access to paths inside of the repository? I don't think that
would be a desirable approach for us...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-07-16 21:08:32 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.