notes/ssh-tricks - subversion - Git at Google

 This file describes how to use the sshd "command" directive to set up
 svn+ssh with any or all of the following properties:

   (1) Specify a full path to the svnserve binary
   (2) Specify a repository root as one can with the svnserve daemon
   (3) Avoid giving full shell access to an svn user
   (4) Use a single Unix account for multiple svn users

 This file will assume that the server is using openssh on a Unix-like
 host.  The same tricks may work for other server setups, but changes
 may need to be made to the details.

 These tricks require that you use public-key authentication; they will
 not work with password authentication.  These tricks also assume that
 the client's key-pair is used only for access to svnserve; if you want
 to retain general shell access to the host, create a second, dedicated
 key-pair for Subversion access and (assuming a Unix client) set the
 environment variable SVN_SSH to "ssh -i /path/to/private/key/file".

 The basic idea
 --------------

 To set up public key authentication on the server, you create a file
 $HOME/.ssh/authorized_keys, where $HOME is the home directory of the
 Unix account being used for svnserve on the server.  Each line of the
 file is typically copied from a client's public key file, and looks
 something like:

   ssh-rsa AAAABlotsmoregookhere= address@example.com

 The first field specifies the type of the key, the second is the key
 itself in uuencoded format, and the third is a comment which humans
 can use to identify what the key is.  In the future, we'll write these
 three fields as "TYPE KEY COMMENT"

 The basic trick, then, is to add a directive to this line telling sshd
 to ignore the client's specified command and run a different command
 instead.  The line in the authorized_keys file will then look like:

   command="COMMAND" TYPE KEY COMMENT

 For svn+ssh access, the client generally specifies the command
 "svnserve -t"; the following tricks will modify the command in various
 ways.

 Trick #1: Specify a full path to the svnserve binary
 ----------------------------------------------------

 For this trick, specify a command like:

   command="/full/path/to/svnserve -t" TYPE KEY COMMENT

 Trick #2: Specify a repository root
 -----------------------------------

 For this trick, add a -r option to the svnserve command:

   command="svnserve -t -r /repository/root" TYPE KEY COMMENT

 Trick #3: Avoid giving full shell access to an svn user
 -------------------------------------------------------

 For this trick, it isn't necessary to modify the command at all.  We
 just need to make sure that the client doesn't run any other commands.
 However, you should also use the "no-port-forwarding" option to
 prevent the client from tunneling to other ports:

   command="svnserve -t",no-port-forwarding TYPE KEY COMMENT

 You may also wish to specify the options "no-pty",
 "no-agent-forwarding", and "no-X11-forwarding", just to give the
 client less wiggle room.

 Trick #4: Use a single Unix account for multiple svn users
 ----------------------------------------------------------

 For this trick, establish a distinct key pair for each of the svn
 users, list all of the public keys in the authorized_users file, and
 specify the "--tunnel-user" directive in the command for each entry:

   command="svnserve -t --tunnel-user=alice" TYPE1 KEY1 COMMENT1
   command="svnserve -t --tunnel-user=bob" TYPE2 KEY2 COMMENT2

 As with trick #3, it may be wise to specify "no-port-forwarding" and
 perhaps the other restriction options to prevent the users from
 obtaining other kinds of access.

 The --tunnel-user option is new in svn 1.1.0, so this trick will not
 work if the server has svn 1.0.x.

 Combining the tricks
 --------------------

 Here's an example of how you might combine all four tricks:

   command="/path/to/svnserve -t -r /repository/root --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1
   command="/path/to/svnserve -t -r /repository/root --tunnel-user=bob",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE2 KEY2 COMMENT2
	This file describes how to use the sshd "command" directive to set up
	svn+ssh with any or all of the following properties:

	(1) Specify a full path to the svnserve binary
	(2) Specify a repository root as one can with the svnserve daemon
	(3) Avoid giving full shell access to an svn user
	(4) Use a single Unix account for multiple svn users

	This file will assume that the server is using openssh on a Unix-like
	host. The same tricks may work for other server setups, but changes
	may need to be made to the details.

	These tricks require that you use public-key authentication; they will
	not work with password authentication. These tricks also assume that
	the client's key-pair is used only for access to svnserve; if you want
	to retain general shell access to the host, create a second, dedicated
	key-pair for Subversion access and (assuming a Unix client) set the
	environment variable SVN_SSH to "ssh -i /path/to/private/key/file".

	The basic idea
	--------------

	To set up public key authentication on the server, you create a file
	$HOME/.ssh/authorized_keys, where $HOME is the home directory of the
	Unix account being used for svnserve on the server. Each line of the
	file is typically copied from a client's public key file, and looks
	something like:

	ssh-rsa AAAABlotsmoregookhere= address@example.com

	The first field specifies the type of the key, the second is the key
	itself in uuencoded format, and the third is a comment which humans
	can use to identify what the key is. In the future, we'll write these
	three fields as "TYPE KEY COMMENT"

	The basic trick, then, is to add a directive to this line telling sshd
	to ignore the client's specified command and run a different command
	instead. The line in the authorized_keys file will then look like:

	command="COMMAND" TYPE KEY COMMENT

	For svn+ssh access, the client generally specifies the command
	"svnserve -t"; the following tricks will modify the command in various
	ways.

	Trick #1: Specify a full path to the svnserve binary
	----------------------------------------------------

	For this trick, specify a command like:

	command="/full/path/to/svnserve -t" TYPE KEY COMMENT

	Trick #2: Specify a repository root
	-----------------------------------

	For this trick, add a -r option to the svnserve command:

	command="svnserve -t -r /repository/root" TYPE KEY COMMENT

	Trick #3: Avoid giving full shell access to an svn user
	-------------------------------------------------------

	For this trick, it isn't necessary to modify the command at all. We
	just need to make sure that the client doesn't run any other commands.
	However, you should also use the "no-port-forwarding" option to
	prevent the client from tunneling to other ports:

	command="svnserve -t",no-port-forwarding TYPE KEY COMMENT

	You may also wish to specify the options "no-pty",
	"no-agent-forwarding", and "no-X11-forwarding", just to give the
	client less wiggle room.

	Trick #4: Use a single Unix account for multiple svn users
	----------------------------------------------------------

	For this trick, establish a distinct key pair for each of the svn
	users, list all of the public keys in the authorized_users file, and
	specify the "--tunnel-user" directive in the command for each entry:

	command="svnserve -t --tunnel-user=alice" TYPE1 KEY1 COMMENT1
	command="svnserve -t --tunnel-user=bob" TYPE2 KEY2 COMMENT2

	As with trick #3, it may be wise to specify "no-port-forwarding" and
	perhaps the other restriction options to prevent the users from
	obtaining other kinds of access.

	The --tunnel-user option is new in svn 1.1.0, so this trick will not
	work if the server has svn 1.0.x.

	Combining the tricks
	--------------------

	Here's an example of how you might combine all four tricks:

	command="/path/to/svnserve -t -r /repository/root --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1
	command="/path/to/svnserve -t -r /repository/root --tunnel-user=bob",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE2 KEY2 COMMENT2