| This file describes how to use the sshd "command" directive to set up |
| svn+ssh with any or all of the following properties: |
| |
| (1) Specify a full path to the svnserve binary |
| (2) Specify a repository root as one can with the svnserve daemon |
| (3) Avoid giving full shell access to an svn user |
| (4) Use a single Unix account for multiple svn users |
| |
| This file will assume that the server is using openssh on a Unix-like |
| host. The same tricks may work for other server setups, but changes |
| may need to be made to the details. |
| |
| These tricks require that you use public-key authentication; they will |
| not work with password authentication. These tricks also assume that |
| the client's key-pair is used only for access to svnserve; if you want |
| to retain general shell access to the host, create a second, dedicated |
| key-pair for Subversion access and (assuming a Unix client) set the |
| environment variable SVN_SSH to "ssh -i /path/to/private/key/file --". |
| |
| The basic idea |
| -------------- |
| |
| To set up public key authentication on the server, you create a file |
| $HOME/.ssh/authorized_keys, where $HOME is the home directory of the |
| Unix account being used for svnserve on the server. Each line of the |
| file is typically copied from a client's public key file, and looks |
| something like: |
| |
| ssh-rsa AAAABlotsmoregookhere= address@example.com |
| |
| The first field specifies the type of the key, the second is the key |
| itself in uuencoded format, and the third is a comment which humans |
| can use to identify what the key is. In the future, we'll write these |
| three fields as "TYPE KEY COMMENT" |
| |
| The basic trick, then, is to add a directive to this line telling sshd |
| to ignore the client's specified command and run a different command |
| instead. The line in the authorized_keys file will then look like: |
| |
| command="COMMAND" TYPE KEY COMMENT |
| |
| For svn+ssh access, the client generally specifies the command |
| "svnserve -t"; the following tricks will modify the command in various |
| ways. |
| |
| Trick #1: Specify a full path to the svnserve binary |
| ---------------------------------------------------- |
| |
| For this trick, specify a command like: |
| |
| command="/full/path/to/svnserve -t" TYPE KEY COMMENT |
| |
| Trick #2: Specify a repository root |
| ----------------------------------- |
| |
| For this trick, add a -r option to the svnserve command: |
| |
| command="svnserve -t -r /repository/root" TYPE KEY COMMENT |
| |
| Trick #3: Avoid giving full shell access to an svn user |
| ------------------------------------------------------- |
| |
| For this trick, it isn't necessary to modify the command at all. We |
| just need to make sure that the client doesn't run any other commands. |
| However, you should also use the "no-port-forwarding" option to |
| prevent the client from tunneling to other ports: |
| |
| command="svnserve -t",no-port-forwarding TYPE KEY COMMENT |
| |
| You may also wish to specify the options "no-pty", |
| "no-agent-forwarding", and "no-X11-forwarding", just to give the |
| client less wiggle room. |
| |
| Trick #4: Use a single Unix account for multiple svn users |
| ---------------------------------------------------------- |
| |
| For this trick, establish a distinct key pair for each of the svn |
| users, list all of the public keys in the authorized_users file, and |
| specify the "--tunnel-user" directive in the command for each entry: |
| |
| command="svnserve -t --tunnel-user=alice" TYPE1 KEY1 COMMENT1 |
| command="svnserve -t --tunnel-user=bob" TYPE2 KEY2 COMMENT2 |
| |
| As with trick #3, it may be wise to specify "no-port-forwarding" and |
| perhaps the other restriction options to prevent the users from |
| obtaining other kinds of access. |
| |
| The --tunnel-user option is new in svn 1.1.0, so this trick will not |
| work if the server has svn 1.0.x. |
| |
| Combining the tricks |
| -------------------- |
| |
| Here's an example of how you might combine all four tricks: |
| |
| command="/path/to/svnserve -t -r /repository/root --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1 |
| command="/path/to/svnserve -t -r /repository/root --tunnel-user=bob",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE2 KEY2 COMMENT2 |