[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN+SSH avoiding password

From: Thomas Harold <tgh_at_tgharold.com>
Date: Thu, 19 Jun 2008 13:07:54 -0400

gec9_at_swissonline.ch wrote:
> Hi
>
> This is taken from
> http://svnbook.red-bean.com/en/1.0/ch06s03.html#svn-ch-6-sect-3.3 :
>
> "If you want to prevent ssh from repeatedly asking for your password,
> you'll need to use a separate memory-caching tool like ssh-agent on a
> Unix-like system, or pageant on Windows."
>
> It means that every Windows-user of SVN (via TortoiseSVN) should
> follow these steps, in order to avoid typing the password every time:
> 1) Install pageant.exe and generate SSH public key and private key
> with puttygen.exe. 2) Copy the public key on the (Linux) SVN-server
> in .ssh/authorised_keys. Of course, every used needs an account on
> the SVN-server.
>
> There are 500 users! I am the SVN-admin. Is there any easier / faster
> way to avoid typing the password every time if we insist on using
> "svn+ssh" instead of "svn"? I am not really happy to spend so much
> time and effort just to avoid typing a password.
>

It's generally a one-time deal, unless your users constantly lose keys
and need you to replace the old one in the authorized_keys file. Which
is better then constantly resetting passwords as they lock themselves
out - or users saying "screw it" and not using SVN at all resulting in
lost/duplicate work.

Also, it provides a lot more security because you can assign users to
unix groups and limit access to the SVN repository folders based on
membership. If you're using separate user accounts for each of the 500
users. (Which is how we prefer to do it. Our first line of defense is
unix file permissions.)

Just make sure you prefix your SSH keys in the authorized_keys file with:

command="/usr/bin/svnserve -t -r
/var/svn",no-agent-forwarding,no-pty,no-port-forwarding,no-X11-forwarding

Which prevents them from getting to a shell or doing other things with
their password-less private key. You can also use the "--tunnel-user
username" option to use a single unix account for everyone and make the
lines in the authorized_keys file pass a username to the svnserve program.

(Setting up SSH no-password access in Windows is extremely useful and
well worth the time spent. You can have Pageant load the private key as
soon as the person logs in, which is one less thing that can go wrong or
that the user can forget.)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-06-19 19:08:33 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.