Saturday, August 16, 2008

Subversion: Server: Setting Up Svnserve With SSH

This is the second section of the Subversion topic. The first section can be found here.

Note: This topic is more like a walk-through than a complete guidelines. And is basically based on the great documentations found on the TortoiseSVN website and various sources. You can refer the site for more explanation if needed.

Server: Setting Up Svnserve With SSH

Part 1: Server Setup
  1. Login as Administrator.
  2. Install SVN on the server (as described in Setting Up Svnserve).
    • Close the svnserve service if it is running.
  3. Create a new user account named “svnuser” (or any other name) with a password. Check that the user permissions are sufficient to read and write your SVN repository directory on the server.
  4. Install Cygwin SSH daemon as described here.
    • Before step 5 (“ssh-host-config” section), open c:\cygwin\etc\hosts.allow with WordPad, make sure it looks like this (take note the hash #):
      #ALL : PARANOID : deny
      sshd: ALL
    • Continue to do the “ssh-host-config” section.
    • Continue to do the “Test the sshd” section.
      • Also test on “ssh svnuser@localhost”
    • Skip the other sections unless specially needed.
    • Type “logout” untill the cygwin window is closed.
  5. Download PuTTY, PuTTYgen and Pageant from here and place the EXEs in c:\cygwin
  6. In Windows, logout as Administrator, then login as svnuser.
  7. Create a key pair (Replace the ‘svnharrykey’ in sample below with your preferred key name):
    • Open a cygwin window. Will be logged in as svnuser by default.
    • $ cd /home/svnuser
      $ mkdir .ssh
      $ ssh-keygen -t rsa -f svnharrykey.key
    • Enter a passphrase: a secret key for private key encryption
      • The key pair will be created in c:\cygwin\home\svnuse
    • If authorized_keys not exist (first time create):$ cp svnharrykey.key.pub /home/svnuser/.ssh/authorized_keysIf authorized_keys already exist:$ cat svnharrykey.key.pub >> /home/svnuser/.ssh/authorized_keys
    • Double-click on c:\cygwin\puttygen.exe
    • Goto Conversions > Import Key > Select the svnharrykey.key file.
    • Enter the passphrase > Save private key > saved as svnharrykey.ppk (saved into the same folder).
    • Goto c:\cygwin\home\svnuser\.ssh and open “authorized_keys” file with WordPad.
      • Append the following line (in blue & red) to the top of each authorized key:
        command="svnserve -t -r d:/svn_repos/ --tunnel-user=harry",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa <ThePublicKey><PublicKeyComment>
      • Replace the text in red to your svn repository root folder and svn authorized user (as in your svn repository conf\authz file).
      • Note: If “svnserve” command cannot be found, change it to full path. E.g: command="c:/svnserve/bin/svnserve.exe –t –r d:/svn_repos/…
      • Note: The user read/write right of the svn repository will follow as set in conf\authz. (conf\passwd will not be used)
      • Save the file.

    • Repeat steps above to generate keys for each svn authorized user.
      • Note: Recommended each svn user should have a different key pair and passphrase.
    • After complete, copy all the .ppk keys in c:\cygwin\home\svnuser to another folder to be distributed to the clients.
    • In Windows, logout as svnuser, then login back as Administrator.

  8. Distribute the Putty private key files (e.g. svnharrykey.ppk) created to the authorized clients.
  9. To restrict access to the ssh service:
    • In Windows, login as Administrator.
    • Open c:\cygwin\etc\hosts.allow with WordPad.
    • Put a hash (#) on this line:
      #sshd: ALL
    • Put the following lines:
      ALL : PARANOID : deny
      ALL : PARANOID : RFC931 20 : deny
      ALL : localhost 127.0.0.1 : allow
      sshd : 192.168.1. : allow
      sshd : 218.208.999.99: allow

      ALL : ALL : deny
    • Note:
      • Replace the IPs in blue to those you allow.
      • Rules applies in the first-come-first-serve order.
      • To allow an IP range: sshd : 192.168.1. : allow
      • To allow a particular IP: sshd : 192.168.1.47: allow
      • To allow a domain: sshd : .mydomain.com : allow
    • Save the file. The changes will take effect immediately.

Part 2: Client Setup
  1. Copy or download PuTTY and Pageant (from here) and place the EXEs in any folder (e.g. d:\_svnuse)
  2. Put the Putty private key (e.g. svnharrykey.ppk) into the same folder.
  3. Double-click on putty.exe to create a new session:
    • Session:
      • HostName: Username @ Hostname/IP of the server (e.g. svnuser@myhost.com)
      • Protocol: SSH
      • Saved Sessions: Any name (e.g. svnsession)
    • Connection: SSH:
      • Prefered SSH Protocol version: 2
    • Go back to Session node, click save. Close the program.
  4. In the same folder, create a batch file named “runpageant.bat”, put the following line (replace with your paths and private key name):
    start "Pageant" "d:\_svnuse\pageant.exe" d:\_svnuse\svnharrykey.ppk
  5. Create a shortcut of runpageant.bat and drag it into All Programs > Startup.
  6. When the runpageant.bat is executed, key in the passphrase when prompted.
  7. Accessing svn repository via TortoiseSvn:
    • Using the address as below:
      • svn+ssh://svnsession/Repo_ProjectName/Trunk
Reference: File Version Used:
Subversion (svn): 1.4.5
TortoiseSVN: 1.4.8.12137 (win32)
Cygwin: 1.5.25-14
Putty, Puttygen, Pageant: 0.60


Additional Resources:
Subversion: Post-Commit Email Notification



If you find this post helpful, would you buy me a coffee?


No comments:

Post a Comment