On Sun, 5 Dec 2004 10:26:36 -0600, Ben Collins-Sussman wrote:
>
>On Dec 5, 2004, at 10:09 AM, Gili wrote:
>
>>
>> Well, the only reason I am even running Subversion this way is
>> because there doesn't seem to be a better way to run it through a SSH
>> tunnel. Ideally I want a single Subversion server running in daemon
>> mode and authenticating all operations like you mentioned and have the
>> SSH client connect to the Subversion server using normal client
>> operations. Right now we are having the SSH client spawn a Subversion
>> server per connection which is far from ideal (for performance and
>> security reasons).
>>
>> Isn't there a way for us to do this?
>>
>> 1) SSH server and Subversion server running in deamon mode
>> 2) User connects to the server using SSH client
>> 3) User invokes svn client operations on the remote connection
>>
>>
>
>Sure there is. Start 'svnserve -d' on a server behind some firewall,
>then have all your users set up ssh-encrypted 'tunnels' through the
>firewall, to port 3690 on your server. This ssh tunnelling technique
>works for essentially every server-process in the universe; it's not
>an svn-specific solution at all. It's described in this FAQ:
>
> http://subversion.tigris.org/project_faq.html#paranoid
>
>of course, the annoyance with this is (1) teaching your users to set up
>tunnels with 'ssh -L', (2) being prompted for BOTH ssh and svnserve
>authentication.
>
>I have to ask: is it critical that all data passing over the link be
>encrypted? If not, your life would be a heck of a lot simpler just
>using 'svnserve -d' and the built-in authentication it supports. Leave
>ssh out completely.
>
>Or, if it's critical that the link be encrypted, use apache/SSL as your
>server.
So ideally I'd want to stick the following in a script:
ssh -L <blah>
svn <command>
ssh <disconnect>
So it would enable port-forwarding, run a command, disconnect
all automatically for me. Two questions:
1) How do I pick a random local open port to pass into -L? I don't want
to keep the port-forwarding beyond the scope of a single transaction.
2) How does one "disconnect" a specific port-forward?
Thanks,
Gili
Received on Sun Dec 5 19:08:11 2004