[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve and launchd in OS X

From: Alan Barrett <apb_at_cequrux.com>
Date: 2006-09-22 09:11:34 CEST

On Thu, 21 Sep 2006, Nathaniel Irons wrote:
> We're moving away from SSH tunnels for svnserve, because we're adding
> svn users who don't have SSH access to the server. I thought using
> svnserve's own authentication would be superior to managing SSH keys
> and a dedicated subversion user.

I would make the opposite decision.

> We also appreciate having check-ins tagged with a user name, which I
> don't think is possible with a single-SSH-user scheme.

It's easy, but for some reason this doesn't seem to be well known.
Just add --tunnel-user=USERNAME to the arguments that sshd passes to
svnserve, as defined in the "command=" part of the line in the dedicated
subversion user's .ssh/authorized_keys file.

Assuming you use openssh on unix, or something with a similar
configuration file:

  1. Create a dedicated user to own the repository or multiple
     repositories. For example, user "svn", group "svn", home directory
     /home/svn.

  2. In the user's home directory, create a directory to contain
     the repositories. For example, {mkdir /home/svn/repos}. Each
     repository will be contained in a subdirectory of this directory.

  3. Create a repository using svnadmin. For example, {svnadmin create
     /home/svn/repos/reponame}.

  4. Create a .ssh directory, for example {mkdir /home/svn/.ssh}.

  5. In the .ssh directory, create an authorized_keys file. In the
     file, put one line per authorised user. Each line will contain an
     ssh public key, preceded by several additional parameters. The
     line will end up looking like this (broken onto several lines for
     readability here, but in reality it must be all on one one very
     long line):

     command="/path/to/svnserve -t --tunnel-user=EXAMPLEUSER -r
     /home/svn/repos",no-port-forwarding,no-agent-forwarding,no-pty
     ssh-dss AAAABBBBexamplesshkeyEXAMPLESSHKEY== examplecomment

  6. The authorised users should now be able to access the repository
     using URLs like "svn+ssh://svn@server.example.org/reponame".
     However, a bug in the subversion client or libraries sometimes
     causes the "@" in the URL to gets misinterpreted as marking a
     peg revision instead of marking a user name. If that happens,
     then configure the ssh client so that you can use URLs like
     "svn+ssh://example-org-svn/reponame". If you use the openssh
     client, add an entry like this to $HOME/.ssh/config for each user:

        Host example-org-svn
          Hostname server.example.org
          User svn

--apb (Alan Barrett)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Sep 22 09:14:25 2006

This is an archived mail posted to the Subversion Users mailing list.