[TAG] SVN authentication

Francis Daly francis at daoine.org
Sat Mar 19 20:36:58 MSK 2011 

On Sat, Mar 19, 2011 at 12:20:10PM -0400, Ben Okopnik wrote:
> On Sat, Mar 19, 2011 at 03:46:15PM +0000, Francis Daly wrote:
> > On Fri, Mar 18, 2011 at 10:06:01AM -0400, Ben Okopnik wrote:

Hi there,

> > > command="svnserve -t --tunnel-user=joe",no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAKOCcqOj4...

> > """
> > the --tunnel-user option tells svnserve to assume that the named argument
> > is the authenticated user. Without --tunnel-user, it would appear as
> > though all commits were coming from the one shared system account.
> > """
> 
> Hmm, odd - we've been doing this "--tunnel-user" stuff for a year now,
> and the logs have always just read "gazette". It makes sense, but I
> guess something else is needed to make it work.

Yes, curious. I've just set up a quick test on a recent Debian box with

$ svn --version
svn, version 1.6.12 (r955767)
   compiled Mar  1 2011, 22:17:06

and I'm seeing it use the tunnel-user name. This is pretty much defaults
all the way, as far as I can see.

> > but possibly the sshd_config already enforces the
> > no-*-forwarding rule for the gazette user.)
> 
> Heh, you've caught me. I snipped all that stuff just so I wouldn't have
> to wrap the line; it's actually

Oh, editing for brevity is fine. Once the live server has the appropriate
config (and that config doesn't need to be shown to the Bad Guys),
it's all good.

> > So if you test with two different ssh keys, and modify a file each time,
> > then a later "svn log" should (hopefully) show that two different users
> > had been there.
> 
> Hmm? I don't quite get this. Everybody does indeed use their own SSH
> key.

I'll show what I did -- but note that it's perfectly sensible to skip
doing anything else on this until after the current production cycle!

===
user$ ssh-keygen # save as /tmp/id_rsa.svn0
user$ ssh-keygen # save as /tmp/id_rsa.svn1
root# adduser svntest # all the usual suspects
root# su - svntest
$ svnadmin create repo
$ mkdir .ssh
$ cat /tmp/id_rsa.svn?.pub > .ssh/authorized_keys
$ sed -i 's/^/command="svnserve -t --tunnel-user=u0",no-pty /' .ssh/authorized_keys
$ sed -i 2s/u0/u1/ .ssh/authorized_keys
$ mkdir work; cd work
# Now put some files in
$ echo a > a; echo b > b; echo c > c;
$ svn import -m "initial import as svntest" . file:///home/svntest/repo
$ exit

user$ SVN_SSH='/usr/bin/ssh -l svntest -i /tmp/id_rsa.svn0'
user$ export SVN_SSH
user$ svn log svn+ssh://localhost/home/svntest/repo
# shows "r1 | svntest"
user$ svn co svn+ssh://localhost/home/svntest/repo
user$ cd repo
user$ echo a >> a
user$ svn ci -m "append to a with svn0 key" .
user$ SVN_SSH='/usr/bin/ssh -l svntest -i /tmp/id_rsa.svn1'
user$ echo a >> a
user$ svn ci -m "append to a with svn1 key" .
user$ svn log svn+ssh://localhost/home/svntest/repo
# shows "r3 | u1", "r2 | u0", "r1 | svntest"
user$ svn update
user$ svn log
# shows the same
===

The only mention of "u0" and "u1" is as tunnel-user, and it appears in
the logs. I'm not sure how that differs from your setup.

> > But maybe it's already perfect.
> 
> Not quite yet - having the log be stamped with the right name would be
> quite nice albeit not 100% necessary - but it's all definitely workable.

For a short-notice major overhaul, "workable" *is* "perfect" :-)

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

More information about the TAG mailing list