In most environments, people want to access their Subversion repositories over a HTTPS connection. This requires a webserver like Apache, which provides WebDAV and SVN modules. I just switched over to nginx and do not want to install Apache just for SVN only. So I started to search for an alternative method which should be easy and secure.
svn ssh. I knew SVN over SSH already but I remembered that there were some problems with file permissions and I did not really liked the idea of having Unix accounts for each SVN user on the system. What I realized then was that there is a pretty nice workaround perfect solution.
First of all, let us create a new SVN user. Only this user will access the repositories.
adduser --home /var/svn --shell /bin/bash --disabled-password svn
Next step is to create a new repository and import the basic directory structure.
for dir in trunk branches tags; do mkdir -p /tmp/project1/$dir; done mkdir /var/svn/repos svnadmin create /var/svn/repos/project1 svn import /tmp/project1 file:///var/svn/repos/project1 -m "Initial import"
All the magic is done in the SVN user’s SSH
command="/usr/bin/svnserve -t -r /var/svn/repos --tunnel-user=user1",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== firstname.lastname@example.org command="/usr/bin/svnserve -t -r /var/svn/repos --tunnel-user=user2",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB== email@example.com
You can limit user access per SSH public key. In this case we force the user to execute
svnserve, we can limit to repository and we can set a username with
--tunnel-user which is used for commits. Additionally, we can disallow all non-SVN stuff to prevent login to shell or port-forwarding etc.
That’s it. Check out your repository and start working with it.
svn co svn ssh://firstname.lastname@example.org/project1/trunk project1