[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Repository Not Found with svn:ssh

From: Thomas Harold <tgh_at_tgharold.com>
Date: 2007-06-07 17:31:32 CEST

Jerome Benezech wrote:
> Hi Thomas,
>
> You got me a bit confused. I mean, my config is now
> working with my svn server on Linux, started in
> tunneling mode and the subeclipse plugin as client on
> Win XP. But this works only with subeclipse plugin in
> Java mode (not JNI) and the svn client does not work.
> Anyway, this is enough for me to work but after
> reading your post, I wonder: is the svnserve in
> tunneling mode supposed to run on the server or on the
> client ?

When doing tunneling mode:

- The Windows client initiates a svn+ssh connection to the SVN Linux
server using a public key pair
- When the client connects to SSH on the linux server, SSH looks at the
authorized_keys file.
- It sees that this key is limited to running "command=..."
- Instead of presenting you with a shell, the SSH server runs the
specified command instead
- So "svnserve -t" is running on the server as whatever user you
authenticated as (using the SSH key)
- The SVN client on the Windows box is now talking to the copy of
"svnserve -t" that is running on the SVN server

That's a loose translation of what happens when you use svn+ssh
tunneling. Instead of running a permanent svnserve daemon on the SVN
server, you're running instanced versions of svnserve in tunnel mode.
These copies are executing under user accounts (whichever user SSH'd in
and fired up "svnserver -t"). So if a tunneled svnserve connection were
to be used as a hack vector, the hacker would only be able to touch
whatever the user would be able to touch if they logged in to a command
shell.

.....

For the regular Win32 SVN client to work with svn+ssh, I'm pretty sure
that you have to have PuTTY and Pageant installed. Create a public key
pair in PuTTY, copy the public portion of the key up to the SVN server
and stick it in the ~/.ssh/authorized_keys file.

# su accountname
# cd /home/accountname
# mkdir .ssh
# chmod 700 .ssh
# cd .ssh
# cat > username@svn.pub
(paste in PuTTY key)
# ssh-keygen -i -f username@svn.pub >> authorized_keys
(that converts PuTTY's key format into something that OpenSSH can deal with)
# vi authorized_keys
(put the following on the front of the PuTTY SVN key)
command="/usr/bin/svnserve -t -r /var/svn",no-agent-forwarding,no-pty

Then, on the Windows client, load the private key into Pageant and leave
Pageant running in the system tray. We have a batch file that loads
keys when the user logs in. You will (probably) also need the following
2 environment variables:

SVN_ASP_DOT_NET_HACK=*
(use the dot-net-hack one if your SVN directories are _svn instead of
.svn on the windows box - if you do this, make sure that all of your
tools support using "_svn" folder names)

SVN_SSH=plink

Make sure that "C:\Program Files\PuTTY" is in your path so that SVN can
find the "plink" executable.

It's been a while since I've setup PuTTY, but I think that's the steps.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 7 17:32:16 2007

This is an archived mail posted to the Subversion Users mailing list.