Monday, March 23, 2015

svn - SSH + svnserve -t command, while still allowing shell access



I'm having some trouble configuring a website hosting server (ex. website.com) that only has one primary user account (ex. ownername), to allow the following:




  • Users me and friend appear as
    the usernames in svn log entries, and

  • Users me and friend have

    shell access via SSH



So, I setup my private/public key pair on my local machine (laptop) and copied the public key to website.com's /home/ownername/.ssh/authorized_keys file. I added this command argument to the line:



command="svnserve -t --tunnel-user=me -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop


Where /home/ownername/svn/ is the location of the Subversion repository. This allows me to use:




[laptop]$ svn co svn+ssh://ownername@website.com/svn/ project


and any changes I make to project using Subversion has me listed as the user in the change comments, which is great.



However, when I go to login via ssh:



  [laptop]$ ssh ownername@website.com 
( success ( 1 2 ( ANONYMOUS ) ...
Connection closed.

[laptop]$


So, is what I'm trying to do even possible? I honestly don't know enough about ssh tunnels to know what to do. There are numerous websites which discuss limiting or removing shell access to svn clients, but of course I want the shell access in addition to a custom username for me and friend.



Any help is appreciated!



Solution:



I simply set up two different id_rsa keys: id_rsa_shell and id_rsa_svn. I appended these to the server's .ssh/authorized_keys file. Then, for the "shell" key I put no command, and the "svn" key the svnserve with arguments. Then, on the laptop, I set up the .ssh/config file to have two entries: website-shell and website-svn, each with IdentityFile set to point to the respective keys. ssh website-shell worked as expected. For the svn command, in .subversion/config, under [tunnels] I put:




website = ssh -p XXXX -i /home/emptyset/.ssh/id_rsa_svn


Now, this got my checkout working:



$ svn co svn+website://website-svn/svn checkoutdirectory


Testing the commits verified the svnserve --tunnel-user argument worked to put my alias in the svn commit. Note it respects the website-svn alias defined in .ssh/config.




Sweet. :)


Answer



I wanted to comment on this yesterday but backed off waiting for someone more knowledgeable in this particular setup. Working from what you have said you can setup multiple users on the same account by having separate keys each setup to a different command structure. I,e user Bob would have a key
command="svnserve -t --tunnel-user=Bob -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop



and Jane would be
command="svnserve -t --tunnel-user=Jane -r /home/ownername/" ssh-rsa someother..eQ== laptoplogin@laptop



Now by the same logic you could set up a third shared key between you that just executes bash, or share the account password to login without keyless ssh and get access to the shell.




That being said, on an aside, you may just want to take a look at Mercurial or Git, both of which make centrally hosted development on a repository dead-simple and are far more powerful and flexible than svn.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...