[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Determine repositor based on ssh host

From: Kalin KOZHUHAROV <kalin_at_thinrope.net>
Date: 2005-12-28 02:56:55 CET

Max Bowsher wrote:
> Clint Priest wrote:
>>>Hey there,
>>>I'm new to using subversion and it just rocks, quite amazing! I'm
>>>trying to figure out how I can do something similar to virtual hosting,
>>>except using ssh.
>>>Ideally I would like to be able to do something like:
>>>svn checkout svn+ssh://user@host1.example.com/project/trunk
>>>svn checkout svn+ssh://user@host2.example.com/project2/trunk
>>>Where host1.example.com and host2.example.com are really the same
>>>machine, however authenticating by the different host would select a
>>>different 'svnserve -r /path/to/repos' command.
>>>Can you think of any way to do this?
> The only possibility I can see is if the two hostnames actually resolve
> to separate IP addresses - i.e. IP-based virtual hosting, not name-based
> virtual-hosting. If this was the case, you could replace svnserve with a
> wrapper which looked at the SSH_CONNECTION environment variable.
A bit of debuggind and I think the above is not possible:
ssh -vvv XXX.XXXXXX.com -p 5555
debug3: Normalising mapped IPv4 in IPv6 address
  SSH_CLIENT=192.168.AAA.AAA 34040 5555
  SSH_CONNECTION=192.168.AAA.AAA 34040 192.168.BBB.BBB 5555
debug3: channel 0: close_fds r -1 w -1 e -1 c -1

Everyhting is converted to IP addresses.

Get your hands on PAM, possibly there is such a module already. Or you can write it yourself or have
it written by somebody.

A quick debug shows:
 # /usr/sbin/sshd -Dddd -p 5555
debug3: Normalising mapped IPv4 in IPv6 address
debug3: Trying to reverse map address 192.168.AAA.AAA.
debug1: PAM: setting PAM_RHOST to "XXX.XXXXXXXXX.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now

So, that PAM module should select a command to run based on PAM_RHOST.

Hmm, now that I read it again you ask for something else... the reverse actually.
So, the answer is no, you cannot do it short of using different ports. At least OpenSSH is a secure
system and it does not rely on DNS - all names are converted to IP addreses for security.
One way using PAM is to pass a variable from the client and use that on the server to distinguish
which hostname you want.

From `man ssh`

     Additionally, ssh reads ~/.ssh/environment, and adds lines of the format ``VARNAME=value'' to
the environment if the file exists and if users are allowed to change their environment. For more
information, see the PermitUserEnvironment option in sshd_config(5).

But I still think using ssh on a different port is the best solution, I use it some time.

On a side note, why do you want svn+ssh? Just go with https and you have the apache name based
virtual hosting for free :-)

That is, hope it helps.


|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 28 02:59:49 2005

This is an archived mail posted to the Subversion Users mailing list.