Subversion with ssh for authentication

Question

We have a Subversion server running on Linux. We have used to authenticate user with unencrypted password using passwd from conf folder for the subversion repository.

We have tried to change to use ssh authentication. I am not sure how to use ssh to authenticate via subversion. Based on the subversion manual, if i use

svn checkout svn+ssh://serverIP/trunk/project

i can type my ssh password and it authenticated, but it did show off

svn: No repository found in 'svn+ssh://ServerIP/trunk/project'

However, when i used 'svn://ServerIP/trunk/project' with plain-text password based on 'passwd' of the conf folder, I can check out the project source code.

Do I miss something for ssh ? I guess I was but I am not sure which part that I were missing was.

Thanks

Answer 1

The other answers are correct in that svn over ssh usually wants the full path to the repository.

However, this can be avoided by using the /etc/ssh/sshd_config configuration file on the server in combination with a custom script. I recommend it for increased security.

Add this to /etc/ssh/sshd_config:

# Override ssh commands
ForceCommand /opt/custom/ssh/forcecommand.sh

Then, in /opt/custom/ssh/forcecommand.sh, check for the svn command:

#!/bin/bash
 
# Catch svnserve command via shh and replace by wrapper script
 
function command { echo $1 ; }
 
function writelog {
  echo `date -u "+%Y-%m-%d% %H:%M:%S"` " $1" >>/var/custom/log/forcecommand.log 
  chmod a+w /var/custom/log/forcecommand.log
}
 
USERID=`whoami`

# Check if user just wnmats to logon with ssh 
if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
  writelog "User $USERID entered with no command - creating shell"
  exec $SHELL -l
 
else
 
  writelog "User $USERID entered with command: $SSH_ORIGINAL_COMMAND"
  COMMAND1=`command $SSH_ORIGINAL_COMMAND`

  # Check if user issued shh with svnserve
  # If so, modify command to prepend server path 
  if [ "$COMMAND1" == 'svnserve' ]; then
    writelog "Executing /opt/custom/ssh/${SSH_ORIGINAL_COMMAND}"
    exec /opt/custom/ssh/${SSH_ORIGINAL_COMMAND}
  else
     writelog "Executing original command"
     exec ${SSH_ORIGINAL_COMMAND}
  fi
fi

Finally, in /opt/custom/ssh/svnserve:

#!/bin/bash  
# allow all permissions to be enabled for the owner and the group; disallow permissions for all others
umask 007
exec /usr/bin/svnserve -t -r /var/subversion/repositories "$@"
echo "ssh cmd=$SSH_ORIGINAL_COMMAND" 

Using this script will allow clients to access svn+ssh://serverIP/trunk/project without the need to know that the repository is actually stored at /var/subversion/repositories/trunk/project.

Answer 2

Normally, svn repositories can be found here:

svn://www.mysite.com/repo_name

...and svn over ssh repositories here:

svn+ssh://www.mysite.com/path-to-repos/repo_name

Please check this posts on serverfault.com:

• Subversion path differences for svn and svn+ssh
• Can’t access my SVN repository

Answer 3

svn+ssh: doesn't just use SSH for authentication, but instead runs the entire communication via SSH. This means that the path you'll have to use is the actual, physical path to the respository on the server.

So if your repository on the server is found in /srv/svn/myrepo then the correct, full URI of you'd like to check out is svn+ssh://serverIP/srv/svn/myrepo/trunk/project.

Also note that you'll want to set up restricted shells for your SVN users or you'll give them full shell access to your server, which is usually not what you want to do.