SVN over SSH with multiple svn users and a single unix account without shell access (Server-side configuration)

Our goal in this three part tutorial is to provide multiple users access to a SVN server running a recent version of Ubuntu Linux through the SSH protocol. In SVN language, this combination of protocols is called svn+ssh. The straight forward way would be to create a unix user account for every SVN user and let them tunnel to the SVN server. However, giving all these users shell access to the server is a potential security issue and goes far beyond the initial purpose of just giving access to the SVN server. As a solution, we will create a single unix user account, that is not allowed to have any shell access, and let the SVN users connect through this user account to the SVN server.

This first part of the tutorial focusses on the server-side configuration. The remaining two parts illustrate the client-side configuration on Linux systems and Windows platforms.

Server-side configuration

Let us start by creating the single unix account, which we call sshsvn. This account will be allowed to establish SSH connections to the server by means of public key authentication but not by password login, e.g. we will lock the unix account. If you want to prevent password logins for all user accounts, consider setting the PasswordAuthentication option to no in your sshd config file (typically in /etc/ssh/sshd_config).

sudo adduser sshsvn

Creating the user with adduser will ask for a password, which we must provide at this point but which will never be used (as we will lock the account in the next step).

sudo usermod --lock sshsvn

For the new user account, we create a key pair for public key authentication.

ssh-keygen -t rsa

When asked for the basic filename of the keys, enter ./id_rsa. Hit enter twice when asked for a passphrase. The passphrase could be used to protect the private key, an option that we will not use for the sake of brevity here but would give additional security!

The ssh-keygen command created two files. The file id_rsa is the private key which will be distributed to a SVN user who will be allowed to connect to the server. id_rsa.pub is the public key, that validates authentication requests initiated with the private key. The following step will store the public key as valid key for SSH authentication for user sshsvn on the server.

sudo mkdir /home/sshsvn/.ssh/
sudo mv id_rsa.pub /home/sshsvn/.ssh/authorized_keys

Having a quick look at /home/sshsvn/.ssh/authorized_keys we see that it holds a single line with three fields separated by spaces. The three fields are

  • TYPE: type of key (RSA in our case)
  • KEY: the public key itself
  • COMMENT: and a comment (that we ignore)

If we would not have locked the user sshsvn, the current setup would suffice to get password-less but public key authentication for shell access via ssh. However, our goal is to restrict the sshsvn user to svn use only. This can be done by prepending a command field to /home/sshsvn/.ssh/authorized_keys.

command="/path/to/svnserve -t -r /path/to/repository/root",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE KEY COMMENT

The specified command does tunnel the SSH connection to the local SVN server instead of starting a shell. The whole bunch of no-* options further restricts the possibilities of the sshsvn user (see the man page of ssh-keygen for details).

Providing the –tunnel-user argument to svnserve in the command string allows us to define an alternate user for a given public key.

command="/path/to/svnserve -t -r /path/to/repository/root --tunnel-user=user1",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE KEY COMMENT

So finally, this gives us the possibility to use a single, locked unix user account to serve multiple svn users. For each svn user, we create a public/private key pair. Each public key is added to /home/sshsvn/.ssh/authorized_keys and the SVN user for each public key is configured with the –tunnel-user argument. This is an abstract example of an /home/sshsvn/.ssh/authorized_keys for four users.

command="/path/to/svnserve -t -r /path/to/repository/root --tunnel-user=user1",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1
command="/path/to/svnserve -t -r /path/to/repository/root --tunnel-user=user2",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE2 KEY2 COMMENT2
command="/path/to/svnserve -t -r /path/to/repository/root --tunnel-user=user3",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE3 KEY3 COMMENT3
command="/path/to/svnserve -t -r /path/to/repository/root --tunnel-user=user4",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE4 KEY4 COMMENT4

After you are done with upating /home/sshsvn/.ssh/authorized_keys, it is important to set proper read/write permissions on the key file to prevent other users on the systems reading the configuration.

sudo chown sshsvn:sshsvn /home/sshsvn/.ssh/authorized_keys
sudo chmod 400 /home/sshsvn/.ssh/authorized_keys

For adiminstration of the SVN server it is important to note, that tunneled users are handled as if successful athentication would have happened. So no SVN password entry is necessary.

Summary

We have seen how to configure a SSH/SVN server to provide a single unix user account that serves SVN over SSH for multiple SVN users. Having this unix user locked prevents even shell access to the SVN server and focusses on the primary goal of just giving safe SVN access to the users.

Further Reading

Apart from the man pages of the referenced commands, the main sources for this tutorial have been

This is part one in a series of three tutorials:

Advertisements

2 thoughts on “SVN over SSH with multiple svn users and a single unix account without shell access (Server-side configuration)

  1. Pingback: SVN over SSH with multiple svn users and a single unix account without shell access (Unix / Linux client configuration) « zeroset

  2. Pingback: SVN over SSH with multiple svn users and a single unix account without shell access (Windows client configuration) « zeroset

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s