 |
|
|
|
|
### Switching SVN authentication from clear-text to ssh+svn ### |
|
|
|
|
|
SVN is a truly awesome beast when it comes to keeping track of any software |
|
development (yes, I know kids these days prefer git - probably because it's |
|
more "cool" for some reason. I don't care. I use svn). |
|
|
|
But to the point. SVN is an extraordinary tool, but unfortunately, it doesn't |
|
come with native support for any form of encryption nor serious |
|
authentication. I know two solutions to this shortcoming: |
|
a) funnel all svn operations into an (SSL-enabled) apache web server, relying |
|
on its webdav extension. |
|
b) tunnel all svn operations through a SSH tunnel |
|
|
|
I shortly investigated option a) and quickly came to the conclusion that I do |
|
not like it. Too much of a mess, too much (apache) overhead, having to trust a |
|
wonky http extension (webdav)... Other people may disagree - but I let them |
|
have the fun with the apache/ssl/webdav contraption. |
|
|
|
My choice is to go the SSH route. SSH is a perfectly standard, extremely |
|
secure and very lightweight protocol. Plus, the vast majority of SVN clients |
|
know how to talk svn-over-ssh. |
|
|
|
How? |
|
|
|
First thing - I do not want subversion to listen on a raw TCP socket any more. |
|
On most Linux distributions, subversion is pre-configured through either inetd |
|
or xinetd. This needs to be removed (check with 'netstat -antp' to make sure |
|
it does not listen any more). |
|
|
|
Then, create a system user that will accept svn queries and relay them to the |
|
local 'svnserve' binary. Let's call this user "svnuser" for the sake of |
|
simplicity. All (actual) svn users will need to authenticate as 'svnuser', but |
|
without any rights that could allow them to fiddle with the system. This can |
|
be set up through a proper authorized_keys file, as shown in the example |
|
below. |
|
|
|
/home/svnuser/.ssh/authorized_keys: |
|
|
|
command="/usr/bin/svnserve -t -r /srv/svn --tunnel-user=mateusz",no-port-forw |
|
arding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAA |
|
AABIwAAAQEAykx+2hO8kBxdUAeLuL5eNgEnNWh8aWA3tkg6qPMMZWliuvrNSe7plp6RliKgmLIOVx |
|
TC1OqE7B+MHWaHS/y0hOxDVwfLTtvUFd+IgmGwc4MwDOqOSohQdlaOph3Rs2b3PUrVzG73d0tztu7 |
|
NVyfoZ3V13NIp1GZnptZOak910FpoiBDVMShiJr8rb4K5JIgUb6h+BRFf8pXoGIU75zEnbGlA+64l |
|
3cFGBRRitzXUHGPfMtFSndyJ1MV2M6vfo2A6DYaa/YGVTBMqQTvP4am7zITO6DKjzxifLI62HP6c6 |
|
9u/Q== Mateusz |
|
|
|
The above line will allow me to authenticate as 'svnuser' using my ssh key, |
|
and execute svnserve feeding it with a virtual user named 'mateusz'. |
|
Basically, the ssh system will see 'svnuser' authenticating, while svn will |
|
see 'mateusz' doing svn operations. |
|
|
|
now use: |
|
|
|
svn checkout svn+ssh://svnuser@svnserver/project |
|
|
|
It is worth noting that all passwords declared in the svn configuration |
|
(conf/passwd) become meaningless, since they won't be ever used anyway. |
|
|
|
A variant of this configuration is to create separate system users for each |
|
and every svn user. The principle is strictly the same, it's just more work |
|
each time a new svn user needs to be added. |
|
