I recently found the need to set up svnserve over an ssh tunnel as an additional access method to an existing installation of subversion, working in the usual method with Apache httpd and dav_svn. I'm posting this log to help others do the same.
Brian K. Boonstra
Goal
Given an existing subversion repository, currently using httpd on an internal network, set up tunneled ssh access so that external usage is possible and secure, using public-key authentication.
References
Subversion / TortoiseSVN SSH HowTo by Marc Logemann
svn+ssh and putty
diagnosing svn+ssh connection problems
sshd configuration
My Experiences With Subversion
Version Control with Subversion:svnserve
Version Control with Subversion:Multiple Access
Steps
Configure sshd
I did not want sshd to allow password access. So the first step was to modify its configuration file to read:
Code: Select all
PermitRootLogin no
PasswordAuthentication no
UsePAM no # Surprise! Ignores 'PasswordAuthentication no' unless this is also 'no'
Create a subversion user
I find it convenient to have a separate subversion user. The repository was currently owned by user www-data, group svn. You want to make the repository owned by a group to which both www-data and svn belong.
(i) Create the user, depending on whether you already have an svn group, either
Code: Select all
adduser svn --ingroup svn --disabled-password --shell=/bin/zsh --system
Code: Select all
adduser svn --group --disabled-password --shell=/bin/zsh --system
adduser www-data svn
chgrp -R svn $SVN_REPOSITORY
(ii) Test access
Code: Select all
sudo -u svn svn info file://$SVN_REPOSITORY
(iii) Ensure permissions are OK:
Code: Select all
sudo su svn;
cd;
svn co file://$SVN_REPOSITORY/$SOMEFILE;
{modify the file trivially}
svn commit $SOMEFILE
(c) If there was a problem, ensure
(1) group write permissions exist wherever user write permissions exist
(2) the group of created files is 'svn'
(3) the permissions of created files match before and after commi
Create public key access
Make a ~/.ssh/ subdirectory for the 'svn' account.
For each user:
(i) cd ~svn/.ssh
(ii) Get a public key
(a) If user already has a public key, copy the user's public key to ~svn/.ssh as $USER.pub
(b) Otherwise,
Code: Select all
ssh-keygen -b 1024 -t dsa -f $USER
Code: Select all
echo 'command="svnserve -t --tunnel-user=$USER --root=$SVN_REPOSITORY",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ' | cat - $USER.pub >> authorized_keys
Test the access
A remote user set up as above should now be able to do something like
Code: Select all
svn info svn+ssh://svn@$SERVERNAME/$SOMEFILE
If there were connection troubles try the instructions in the references, which basically say to try
Code: Select all
ssh svn@$SERVERNAME svnserver
Code: Select all
ssh -v svn@$SERVERNAME