The article describes how to secure access your SVN repository without using a HTTPS server. The access includes authorization via SVN and authentication about SSH.
- SVN access without web server.
- Access tunneled via SSH.
- Authorization/Authentication without Unix user. Only with SVN-configs.
- Existing SVN repository
- SSH server
- SVN-Client + SSH-Client for testing
- svnserve installer
These assumptions apply to the following instructions. Of course repository names and directories may differ.
- An SVN repository is located at
- There is a user
svnwhose home directory is
Setting up SSH and svnserve
snvnserve should already be installed with subversion or the subversiontools. If not, the following packages must be installed.
aptitude install subversion aptitude install subversion tools
We prepare a logfile, svnserve can write to later.
touch /var/log/svnserve.log chown svn:svn /var/log/svnserve.log
In the config directory of our repository we create the config file
/home/svn/repo1/conf/svnserve.conf with the following
[general] anon-access = none auth-access = write authz-db = authz
We deliberately leave out the line
password-db = because
authentication is done via SSH.
anon-access = none specifies,
that the repository is not anonymous.
auth-access = write
specifies that the repository is readable for authenticated users and
is writable. The SVN authorization file authz in the same directory defines which user may do what in the repository. This
authz-db = authz in the last line. The file contains the following entries (as an example):
[groups] admin = tim project1 = alice, bob project2 = eve [/] * = tim = rw [/src/project1] @project1 = r hudson = rw [/src/project2] @project2 = r
At the top we define any groups and assign user names to them.
Below [/] we configure the authorization in the root of the
Repositores. Here everyone is allowd for nothing (
* = ), but tim is allowed to do everything (
tim = rw). The settings are inherited to subdirectories unless they are overwritten there.
Below are the settings for the project directories. Names with
@ prefix are groups.
Now Authorization is complete. But Authentication is still missing.
This takes place via ssh. To allow a user to access the repository
its public SSH key must be inserted into the file
The call of svnserve is also configured there and is triggered by the logged in user. The configuration looks like this for a user:
command="/usr/bin/svnserve -t -r /home/svn --tunnel-user=tim --log-file=/var/log/svnserve.log",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa [..] name@host
--tunnel-user=name specifies the name the owner of the private key accesses svnserve.
--log-file=... contains the file we created earlier. The Parameters after the log file makes sure the ssh connection for that user can not be used for those other things.
ssh-rsa [..] name@host corresponds to the SSH public key of the
user who is to have access to the repository.
Each line contains one entry per user. They are the same except of the
--tunnel-user parameter and of course the public SSH key.
After setting up authorization and authentication for the user tim, we can test the access from the client for which we have entered it's public SSH key.
svn list svn+ssh://svn@hostname/repo1
svn before the @ is the Unix user which is owner of
/home/svn on the server
repo1 is the root of the repository. Of course it can also be extended, e.g. to
If an error message comes from SSH, the following can help.
Output of debug information for the SSH connection:
export SVN_SSH="ssh -v "
Check correct file permissions on the server.
First, in order for SSH to use the file
authorized_keys, it should have the file permissions
Second, the home directory should not contain more than
750 and third the
.ssh subdirectory should have
700 at most.
If an error message comes from svn, the server log file can be found on the at