0

All our SVN repositories are hosted on a dedicated machine on which all the developers have access. Every now and then we need to checkout a repository on a machine we don't own or operate ourselves. Currently we all use our own system (SSH) account for this, but instead I would like to use some generic 'checkoutsvn' user that can be used for this. This user is only used for checking out from a repository, but should not be allowed to log in to the system (no shell access). I tried to do this by setting the default shell of that account to /sbin/nologin but then SVN fails, as apparently svn+ssh requires shell access.

How do you do this? Is there a good solution for this?

vincent.io
  • 935
  • 3
  • 8
  • 23
  • I hate to answer my own question, but I found this interesting thread: http://serverfault.com/questions/11521/svnssh-security – vincent.io Nov 18 '11 at 16:58

2 Answers2

0

My webhost has these instructions:

Using nano or an FTP client open up ~/.ssh/authorized_keys and enter the following (all on one line):

command="/usr/bin/svnserve -t -r /home/[username]/svn",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty [public key text from id_rsa.pub]

If you want to have multiple svn users for this account, then the command in ~/.ssh/authorized_keys should also have the –tunnel-user= option given. is NOT the (web host) username; it is the name you wish the user’s checkins & checkouts to show up under.

And from the svnserve man page:

-r root, --root=root
      Sets the virtual root for repositories served  by  svnserve.   The
      pathname  in URLs provided by the client will be interpreted rela‐
      tive to this root, and will not be allowed to escape this root.
Kevin
  • 338
  • 2
  • 13
0

After some thinking I think using svn+ssh for this is not the way to do it. Therefor I'm switching to svn over https, which offers much more fine-grained control.

vincent.io
  • 935
  • 3
  • 8
  • 23