In most environments, people want to access their Subversion repositories over a HTTPS connection. This requires a webserver like Apache, which provides WebDAV and SVN modules. I just switched over to nginx and do not want to install Apache just for SVN only. So I started to search for an alternative method which should be easy and secure.
I found svn ssh
. I knew SVN over SSH already but I remembered that there were some problems with file permissions and I did not really liked the idea of having Unix accounts for each SVN user on the system. What I realized then was that there is a pretty nice workaround perfect solution.
First of all, let us create a new SVN user. Only this user will access the repositories.
adduser --home /var/svn --shell /bin/bash --disabled-password svn
Next step is to create a new repository and import the basic directory structure.
for dir in trunk branches tags; do mkdir -p /tmp/project1/$dir; done
mkdir /var/svn/repos
svnadmin create /var/svn/repos/project1
svn import /tmp/project1 file:///var/svn/repos/project1 -m "Initial import"
All the magic is done in the SVN user’s SSH authorized_keys
file.
command="/usr/bin/svnserve -t -r /var/svn/repos --tunnel-user=user1",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== user1@example.com
command="/usr/bin/svnserve -t -r /var/svn/repos --tunnel-user=user2",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB== user2@example.com
You can limit user access per SSH public key. In this case we force the user to execute svnserve
, we can limit to repository and we can set a username with --tunnel-user
which is used for commits. Additionally, we can disallow all non-SVN stuff to prevent login to shell or port-forwarding etc.
That’s it. Check out your repository and start working with it.
svn co svn ssh://svn@example.com/project1/trunk project1