Re: Security features, path based authorization in subversion

On 2008-08-25 14:16:12 -0400, John Peacock wrote:
> See Trick #4 for details:
>
> http://svn.collab.net/repos/svn/trunk/notes/ssh-tricks

Information given in this file is a bit incorrect. Yesterday I tried
what is said (note: I also have a normal shell account, but just wanted
to use the --tunnel-user feature to be able to see from what machine I
do the commits), with no success, and I spent a few hours to determine
what was going on. The problem is that

  ssh -i /path/to/private/key/file

will not necessarily select the specified key. The -i option just
adds the identity to the list defined in the user's SSH config file
(in general, ~/.ssh/config), and as shown by "ssh -v", this new key
does *not* have the precedence. I didn't find any solution, except
the possible following one (not tested), which has some drawbacks:

At the beginning of the .ssh/config file (at least before Host *),
define a special host for svn access to the considered server, e.g.

Host svn-server
  Hostname real_server_hostname
  User ...
  IdentityFile ~/.ssh/id_rsa-svn

As this identity file comes first, it will have the precedence over
the default identity files, as documented in the ssh_config(5) man
page. Now, the problem is that the user needs to remember to use
host svn-server instead of the real hostname of the SVN server,
otherwise a "standard" svnserve (with no --tunnel-user) will be
executed.

If someone has a better solution, I'd be very interested.

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org