[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: Vincent Lefevre <vincent+svn_at_vinc17.org>
Date: Tue, 26 Aug 2008 13:59:35 +0200

On 2008-08-25 14:16:12 -0400, John Peacock wrote:
> See Trick #4 for details:
> http://svn.collab.net/repos/svn/trunk/notes/ssh-tricks

Information given in this file is a bit incorrect. Yesterday I tried
what is said (note: I also have a normal shell account, but just wanted
to use the --tunnel-user feature to be able to see from what machine I
do the commits), with no success, and I spent a few hours to determine
what was going on. The problem is that

  ssh -i /path/to/private/key/file

will not necessarily select the specified key. The -i option just
adds the identity to the list defined in the user's SSH config file
(in general, ~/.ssh/config), and as shown by "ssh -v", this new key
does *not* have the precedence. I didn't find any solution, except
the possible following one (not tested), which has some drawbacks:

At the beginning of the .ssh/config file (at least before Host *),
define a special host for svn access to the considered server, e.g.

Host svn-server
  Hostname real_server_hostname
  User ...
  IdentityFile ~/.ssh/id_rsa-svn

As this identity file comes first, it will have the precedence over
the default identity files, as documented in the ssh_config(5) man
page. Now, the problem is that the user needs to remember to use
host svn-server instead of the real hostname of the SVN server,
otherwise a "standard" svnserve (with no --tunnel-user) will be

If someone has a better solution, I'd be very interested.

Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-26 13:59:58 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.