Appendix G. Securing Svnserve using SSH

Table of Contents

Setting Up a Linux Server
Setting Up a Windows Server
SSH Client Tools for use with TortoiseSVN
Creating OpenSSH Certificates
Create Keys using ssh-keygen
Create Keys using PuTTYgen
Test using PuTTY
Testing SSH with TortoiseSVN
SSH Configuration Variants

This section provides a step-by-step guide to setting up Subversion and TortoiseSVN to use the svn+ssh protocol. If you already use authenticated SSH connections to login to your server, then you are already there and you can find more detail in the Subversion book. If you are not using SSH but would like to do so to protect your Subversion installation, this guide gives a simple method which does not involve creating a separate SSH user account on the server for every subversion user.

In this implementation we create a single SSH user account for all subversion users, and use different authentication keys to differentiate between the real Subversion users.

In this appendix we assume that you already have the subversion tools installed, and that you have created a repository as detailed elsewhere in this manual. Note that you should not start svnserve as a service or daemon when used with SSH.

Much of the information here comes from a tutorial provided by Marc Logemann, which can be found at www.logemann.org Additional information on setting up a Windows server was provided by Thorsten Müller. Thanks guys!

Setting Up a Linux Server

You need to have SSH enabled on the server, and here we assume that you will be using OpenSSH. On most distributions this will already be installed. To find out, type:

ps xa | grep sshd

and look for ssh jobs.

One point to note is that if you build Subversion from source and do not provide any argument to ./configure, Subversion creates a bin directory under /usr/local and places its binaries there. If you want to use tunneling mode with SSH, you have to be aware that the user logging in via SSH needs to execute the svnserve program and some other binaries. For this reason, either place /usr/local/bin into the PATH variable or create symbolic links of your binaries to the /usr/sbin directory, or to any other directory which is commonly in the PATH.

To check that everything is OK, login in as the target user with SSH and type:

which svnserve

This command should tell you if svnserve is reachable.

Create a new user which we will use to access the svn repository:

useradd -m svnuser

Be sure to give this user full access rights to the repository.