[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Questions Re. Appendix G. Securing Svnserve using SSH

From: Simon Large <simon.tortoisesvn_at_googlemail.com>
Date: Wed, 16 Jul 2008 21:21:37 +0100

2008/7/16 Jeff <jsbmsu_at_gmail.com>:
> Okay, now I've been testing. Let's say my account is harry, and my
> friend wants to go by sally. And let's say my repository is a
> directory called repos/, located at:
> /path/that/contains
>
> So, I create a file /home/harry/.ssh/authorized_keys containing:
> command="svnserve -t -r /path/that/contains/ --tunnel-user=sally",no-
> port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
> PUBKEY Sally-SVN
>
> Now, if I do a checkout/commit on the URL "svn+ssh://
> harry_at_server.myuniv.edu/repos/projectname/trunk", everything works as
> expected. The log shows sally as the author of any modifications made
> under this scheme. So, if Sally has the private key for PUBKEY, then
> she'll be able to use my repository.
>
>
> But what if there are multiple repositories in /path/that/contains? I
> might want to restrict Sally from accessing one of them, and it has
> been proposed by Simon (I think) that I accomplish this by using
> svnserve.conf.
>
> Well I don't really know how one goes about controlling just the
> authorization after connecting via SSH. My thought was to try putting
> "password-db = passwd" in svnserve.conf, but not having a line in
> passwd for sally. That way it might try to enforce the user list, but
> find no sally, and revoke an attempt to access via harry's SSH account
> with --tunnel-user=sally. But this had no effect. Sally can still
> connect just fine.
>
> So is it even possible to control access to the repositories with
> svnserve.conf under this SSH/public-key scheme? Or, (Simon) were you
> implying that I have only a single repository and use an auth file to
> controll access to paths inside of the repository? I don't think that
> would be a desirable approach for us...

Each repository has a config file (svnserve.conf) which can specify an
authz file. You can have a separate authz file for each repository or
you can make all repos refer to the same one. The sample authz file in
any repository will show you how it works. There are details in the
subversion book too.

Simon

-- 
: ___
: oo // \\ "De Chelonian Mobile"
: (_,\/ \_/ \ TortoiseSVN
: \ \_/_\_/> The coolest Interface to (Sub)Version Control
: /_/ \_\ http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-07-16 22:21:43 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.