svn+ssh://

Published: by Creative Commons Licence

Time to read: 4 minutes

The article describes how to secure access your SVN repository without using a HTTPS server. The access includes authorization via SVN and authentication about SSH.

Goals

  • SVN access without web server.
  • Access tunneled via SSH.
  • Authorization/Authentication without Unix user. Only with SVN-configs.

Prerequisites

  • Existing SVN repository
  • SSH server
  • SVN-Client + SSH-Client for testing
  • svnserve installer

Assumptions

These assumptions apply to the following instructions. Of course repository names and directories may differ.

  • An SVN repository is located at /home/svn/repo1.
  • There is a user svn whose home directory is /home/svn.

Setting up SSH and svnserve

snvnserve should already be installed with subversion or the subversiontools. If not, the following packages must be installed.

aptitude install subversion
aptitude install subversion tools

We prepare a logfile, svnserve can write to later.

touch /var/log/svnserve.log
chown svn:svn /var/log/svnserve.log

In the config directory of our repository we create the config file for svnserve /home/svn/repo1/conf/svnserve.conf with the following content.

[general]
anon-access = none
auth-access = write
authz-db = authz

We deliberately leave out the line password-db = because authentication is done via SSH. anon-access = none specifies, that the repository is not anonymous. auth-access = write specifies that the repository is readable for authenticated users and is writable. The SVN authorization file authz in the same directory defines which user may do what in the repository. This we configure authz-db = authz in the last line. The file contains the following entries (as an example):

[groups]
admin = tim
project1 = alice, bob
project2 = eve

[/]
* =
tim = rw

[/src/project1]
@project1 = r
hudson = rw

[/src/project2]
@project2 = r

At the top we define any groups and assign user names to them. Below [/] we configure the authorization in the root of the Repositores. Here everyone is allowd for nothing (* = ), but tim is allowed to do everything (tim = rw). The settings are inherited to subdirectories unless they are overwritten there.

Below are the settings for the project directories. Names with @ prefix are groups.

Now Authorization is complete. But Authentication is still missing. This takes place via ssh. To allow a user to access the repository its public SSH key must be inserted into the file /home/svn/.ssh/authorized_keys.

The call of svnserve is also configured there and is triggered by the logged in user. The configuration looks like this for a user:

command="/usr/bin/svnserve -t -r /home/svn --tunnel-user=tim --log-file=/var/log/svnserve.log",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa [..] name@host

--tunnel-user=name specifies the name the owner of the private key accesses svnserve.

--log-file=... contains the file we created earlier. The Parameters after the log file makes sure the ssh connection for that user can not be used for those other things. The Section ssh-rsa [..] name@host corresponds to the SSH public key of the user who is to have access to the repository.

Each line contains one entry per user. They are the same except of the --tunnel-user parameter and of course the public SSH key.

Test access

After setting up authorization and authentication for the user tim, we can test the access from the client for which we have entered it's public SSH key.

svn list svn+ssh://svn@hostname/repo1

The svn before the @ is the Unix user which is owner of /home/svn on the server hostname. repo1 is the root of the repository. Of course it can also be extended, e.g. to repo1/src/project1.

If an error message comes from SSH, the following can help.

Output of debug information for the SSH connection:

export SVN_SSH="ssh -v "

Check correct file permissions on the server. First, in order for SSH to use the file authorized_keys, it should have the file permissions 600. Second, the home directory should not contain more than 750 and third the .ssh subdirectory should have 700 at most.

If an error message comes from svn, the server log file can be found on the at /var/log/svnserve.log.