SVN over SSH with multiple svn users and a single unix account without shell access (Unix / Linux client configuration)

Our goal in this three part tutorial is to provide multiple users access to a SVN server running a recent version of Ubuntu Linux through the SSH protocol. In SVN language, this combination of protocols is called svn+ssh. The straight forward way would be to create a unix user account for every SVN user and let them tunnel to the SVN server. However, giving all these users shell access to the server is a potential security issue and goes far beyond the initial purpose of just giving access to the SVN server. As a solution, we will create a single unix user account, that is not allowed to have any shell access, and let the SVN users connect through this user account to the SVN server.

This second part of the tutorial focusses on the configuration of a Unix / Linux client. It is fairly distribution independant and will work on all of Ubuntu, Fedora, Suse, Debian, Mint and beyond. The first part of the tutorial managed the server-side configuration whereas the last and thrid part illustrates the client-side configuration on Windows platforms.

Client-side configuration on Unix / Linux systems

As stated in the server-side configuration, the private key file id_rsa needs to be distributed to the user on the client side. He or she will use the private key to connect to the SVN server. As the private key is enough to establish the connection, it needs to be stored in a safe place on the computer (and may be additionally secured by a password, see ssh-keygen above).

In general, the server’s URL in the svn command configures the protocol to be used. So

svn list svn+ssh://sshsvn@SERVER_ADDRESS/@

will establish a connection to the SVN server at SERVER_ADDRESS via the combination of SSH and SVN protocols for SSH user sshsvn (remember that we connect to the server as user sshsvn and distinguish different SVN users by the used private key). Please note the trailing @ that is necessary to access the SVN server’s root level. If you get

svn: Syntax error parsing revision 'SERVER_ADDRESS'

errors, you forget the trailing @.

But how to tell the svn command to use the provided private key? There are two solutions for this. First, we may add the private key to the SSH authentication agent,

ssh-add /path/to/id_rsa

Please note that this adds the private key only temporarily. For permanant solutions, see here for example.

The second and preferred way for me is to set the SSH command to be used by SVN with the SVN_SSH environment variable,

SVN_SSH="ssh -i /path/to/id_rsa" svn list svn+ssh://sshsvn@SERVER_ADDRESS/@

Summary

We have seen how to connect from a Unix / Linux system to a SSH/SVN server with a private key for the SSH connection. The server will decide upon the matching public key which SVN user account is used for the SVN connection.

Further Reading

Apart from the man pages of the referenced commands, the main sources for this tutorial have been

This is part two in a series of three tutorials:

Advertisements

2 thoughts on “SVN over SSH with multiple svn users and a single unix account without shell access (Unix / Linux client configuration)

  1. Pingback: SVN over SSH with multiple svn users and a single unix account without shell access (Server-side configuration) « zeroset

  2. Pingback: SVN over SSH with multiple svn users and a single unix account without shell access (Windows client configuration) « zeroset

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s