svn+ssh 2

Posted by Justin Weiss Fri, 18 May 2007 15:04:00 GMT

I've been using Subversion for years on my own machines to manage documents, code, and everything else I didn't want to get lost. It wasn't a perfect solution, because I needed the host machine to be turned on and on the network all the time (easier said than done) and I also needed to have the Subversion server running (which is pretty much how I learned launchd).

When I moved to a shared host that offered Subversion access, I saw how easy svn+ssh could make things. Svn+ssh will automatically spawn a svnserve process upon access using an svn+ssh:// URL, meaning the Subversion server doesn't have to be running constantly on the server machine.

Passwordless login over SSH is really cool, and it's really simple to get it working with Subversion. Right now, I have Subversion "owned" by a single user on the server, and I manage permissions using SSH keys.

First, I created a new ssh keypair, to be specifically used with Subversion:

$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/justin/.ssh/id_rsa): /Users/justin/.ssh/id_rsa.subversion etc...

I then copied the contents of ~/.ssh/id_rsa.subversion.pub into the Subversion owner's ~/.ssh/authorized_keys file. This is enough to get svn+ssh working, but you'll have to use a command like this, passing in the full path to the repository:

$ svn ls svn+ssh://user@server.com/full/path/to/repository/application/trunk

I think you'll also have to specify the username/password on the command line as well, if you can commit to the repository as an alternate user at all. Finally, this can be dangerous, as it leaves the user account open to all users you've given access to.

However, adding something like the following in the ~/.ssh/authorized_keys file, on the same line as the public key you added earlier, will solve these problems:

command="/path/to/svnserve -t -r /full/path/to/repository/ --tunnel-user=user_name",no-port-forwarding,no-agent-forwarding, no-X11-forwarding,no-pty

This will connect to the repository at /full/path/to/repository/ with Subversion user user_name, disabling most of the other stuff the user would be able to do on the server.

The last thing I did is set the SVN_SSH environment variable on my local machine to point toward the key created earlier, which I did in my ~/.profile:

export SVNSSH='ssh -i /Users/justin/.ssh/idrsa.subversion'

After following these steps, you can test it out using

$ svn ls svn+ssh://user@server.com/application/trunk

That command should now work without requiring a password, or the svnserve server running on the remote machine.

I'm still having one issue with my setup -- when I give svn the root path, like:

svn ls svn+ssh://user@server.com/

I get an error:

svn: Syntax error parsing revision 'server.com'

So far I haven't found a way to resolve this that I'm satisfied with, but in reality it's not really a problem -- how often do you really access the root of your repository, anyway? If it's common, chances are the repository isn't laid out very well.