{"id":698,"date":"2015-04-15T01:54:25","date_gmt":"2015-04-15T10:54:25","guid":{"rendered":"http:\/\/blog.box.kr\/?p=698"},"modified":"2015-04-15T01:54:25","modified_gmt":"2015-04-15T10:54:25","slug":"securing-svnserve-using-ssh","status":"publish","type":"post","link":"https:\/\/blog.box.kr\/?p=698","title":{"rendered":"Securing Svnserve using SSH"},"content":{"rendered":"
\n

http:\/\/tortoisesvn.net\/ssh_howto.html<\/a><\/p>\n

Securing Svnserve using SSH<\/h1>\n
\n

This section provides a step-by-step guide to setting up Subversion and TortoiseSVN to use the svn+ssh<\/code> protocol. If you already use authenticated SSH connections to login to your server, then you are already there and you can find more detail in the Subversion book. If you are not using SSH but would like to do so to protect your Subversion installation, this guide gives a simple method which does not involve creating a separate SSH user account on the server for every subversion user.<\/p>\n

In this implementation we create a single SSH user account for all subversion users, and use different authentication keys to differentiate between the real Subversion users.<\/p>\n

In this appendix we assume that you already have the subversion tools installed, and that you have created a repository as detailed elsewhere in this manual. Note that you should not<\/em> start svnserve as a service or daemon when used with SSH.<\/p>\n

Much of the information here comes from a tutorial provided by Marc Logemann, which has been archived at tortoisesvn.net<\/a>. Additional information on setting up a Windows server was provided by Thorsten M\u00fcller. Thanks guys!<\/p>\n

You can also watch a video tutorial created by Maximo Migliari which takes you through all the important steps. Watch it on Vimeo<\/a>. or YouTube<\/a>.<\/p>\n

Setting Up a Linux Server<\/h2>\n

You need to have SSH enabled on the server, and here we assume that you will be using OpenSSH. On most distributions this will already be installed. To find out, look for ssh jobs by typing:<\/p>\n

ps xa | grep sshd\n<\/pre>\n
One point to note is that if you build Subversion from source and do not provide any argument to .\/configure<\/cite>, Subversion creates a bin<\/cite> directory under \/usr\/local<\/cite> and places its binaries there. If you want to use tunneling mode with SSH, you have to be aware that the user logging in via SSH needs to execute the svnserve program and some other binaries. For this reason, either place \/usr\/local\/bin<\/cite> into the PATH<\/code> variable or create symbolic links of your binaries to the \/usr\/sbin<\/cite> directory, or to any other directory which is commonly in the PATH<\/code>.<\/p>\n
To check that everything is OK, login in as the target user with SSH and test whether svnserve is now reachable by typing:<\/p>\n
which svnserve\n<\/pre>\n
Create a new user which we will use to access the svn repository:<\/p>\n
useradd -m svnuser\n<\/pre>\n
Be sure to give this user full access rights to the repository.<\/p>\n
Setting Up a Windows Server<\/h2>\n
Install Cygwin SSH daemon as described in this article<\/a>.<\/p>\n
Create a new Windows user account svnuser<\/code> which we will use to access the repository. Be sure to give this user full access rights to the repository.<\/p>\n
If there is no password file yet then create one from the Cygwin console using:<\/p>\n
mkpasswd -l > \/etc\/passwd\n<\/pre>\n
SSH Client Tools for use with TortoiseSVN<\/h2>\n
Grab the tools we need for using SSH on the Windows client from the PuTTY site<\/a>. Just go to the download section and get Putty<\/cite>, Plink<\/cite>, Pageant<\/cite> and Puttygen<\/cite>.<\/p>\n
Creating OpenSSH Certificates<\/h2>\n
The next step is to create a key pair for authentication. There are two possible ways to create keys. The first is to create the keys with PuTTYgen on the client, upload the public key to your server and use the private key with PuTTY. The other is to create the key pair with the OpenSSH tool ssh-keygen, download the private key to your client and convert the private key to a PuTTY-style private key.<\/p>\n
Create Keys using ssh-keygen<\/h3>\n
Login to the server as root<\/code> or svnuser<\/code> and type:<\/p>\n
ssh-keygen -b 1024 -t dsa -N passphrase -f keyfile\n<\/pre>\n
substituting a real pass-phrase (which only you know) and key file. We just created a SSH2 DSA key with 1024 bit key-phrase. If you type<\/p>\n
ls -l keyfile*\n<\/pre>\n
you will see two files, keyfile<\/cite> and keyfile.pub<\/cite>. As you might guess, the .pub<\/cite> file is the public key file, the other is the private one.<\/p>\n
Append the public key to those in the .ssh<\/cite> folder within the svnuser<\/code> home directory:<\/p>\n
cat keyfile.pub >> \/home\/svnuser\/.ssh\/authorized_keys\n<\/pre>\n
.In order to use the private key we generated, we have to convert it to a putty format. This is because the private key file format is not specified by a standards body. After you download the private key file to your client PC, start PuTTYgen and use Conversions -> Import key<\/strong> Browse to your file keyfile<\/cite> which you got from the server the passphrase you used when creating the key. Finally click on Save private key<\/strong> and save the file as keyfile.PPK<\/cite>.<\/p>\n
Create Keys using PuTTYgen<\/h3>\n
Use PuTTYgen to generate a public-key\/private-key pair and save it. Copy the public key to the server and append it to those in the .ssh<\/cite> folder within the svnuser<\/code> home directory:<\/p>\n
cat keyfile.pub >> \/home\/svnuser\/.ssh\/authorized_keys\n<\/pre>\n
Test using PuTTY<\/h2>\n
To test the connection we will use PuTTY. Start the program and on the Session<\/strong> tab set the hostname to the name or IP address of your server, the protocol to SSH and save the session as SvnConnection<\/code> or whatever name you prefer. On the SSH<\/strong> tab set the preferred SSH protocol version to 2 and from Auth<\/strong> set the full path to the .PPK<\/code> private key file you converted earlier. Go back to the Sessions<\/strong> tab and hit the Save<\/strong> button. You will now see SvnConnection<\/code> in the list of saved sessions.<\/p>\n
Click on Open<\/strong> and you should see a telnet style login prompt. Use svnuser<\/code> as the user name and if all is well you should connect directly without being prompted for a password.<\/p>\n
You may need to edit \/etc\/sshd_config<\/cite> on the server. Edit lines as follows and restart the SSH service afterwards.<\/p>\n
PubkeyAuthentication yes\nPasswordAuthentication no\nPermitEmptyPasswords no\nChallengeResponseAuthentication no<\/pre>\n
Testing SSH with TortoiseSVN<\/h2>\n
So far we have only tested that you can login using SSH. Now we need to make sure that the SSH connection can actually run svnserve. On the server modify \/home\/svnuser\/.ssh\/authorized_keys<\/cite> as follows to allow many subversion authors to use the same system account, svnuser<\/code>. Note that every subversion author uses the same login but a different authentication key, thus you have to add one line for every author. Note: This is all on one very long line.<\/p>\n
command=\"svnserve -t -r <ReposRootPath> --tunnel-user=<author>\",\n         no-port-forwarding,no-agent-forwarding,no-X11-forwarding,\n         no-pty ssh-rsa <PublicKey> <Comment><\/pre>\n
There are several values that you need to set according to your setup.<\/p>\n
<ReposRootPath><\/code> should be replaced with the path to the directory containing your repositories. This avoids the need to specify full server paths within URLs. Note that you must use forward slashes even on a Windows server, e.g. c:\/svn\/reposroot<\/cite>. In the examples below we assume that you have a repository folder within the repository root called repos<\/cite>.<\/p>\n
<author><\/code> should be replaced with the svn author that you want to be stored on commit. This also allows svnserve to use its own access rights within svnserve.conf<\/cite>.<\/p>\n
<PublicKey><\/code> should be replaced with the public key that you generated earlier.<\/p>\n
<Comment><\/code> can be any comment you like, but it is useful for mapping an svn author name to the person’s real name.<\/p>\n
Right click on any folder in Windows Explorer and select TortoiseSVN -> Repo-Browser<\/strong> You will be prompted to enter a URL, so enter one in this form:<\/p>\n
svn+ssh:\/\/svnuser@SvnConnection\/repos\n<\/pre>\n
What does this URL mean? The Schema name is svn+ssh<\/code> which tells TortoiseSVN how to handle the requests to the server. After the double slash, you specify the user to connect to the server, in our case svnuser<\/code>. After the @<\/code> we supply our PuTTY session name. This session name contains all details like where to find the private key and the server’s IP or DNS. Lastly we have to provide the path to the repository, relative to the repository root on the server, as specified in the authorized_keys<\/cite> file.<\/p>\n
Click on OK<\/strong> and you should be able to browse the repository content. If so you now have a running SSH tunnel in conjunction with TortoiseSVN.<\/p>\n
Note that by default TortoiseSVN uses its own version of Plink to connect. This avoids a console window popping up for every authentication attempt, but it also means that there is nowhere for error messages to appear. If you receive the error Unable to write to standard output<\/q>, you can try specifying Plink as the client in TortoiseSVN’s network settings. This will allow you to see the real error message generated by Plink.<\/p>\n
SSH Configuration Variants<\/h2>\n
One way to simplify the URL in TortoiseSVN is to set the user inside the PuTTY session. For this you have to load your already defined session SvnConnection<\/code> in PuTTY and in the Connection<\/strong> tab set Auto login user<\/strong> to the user name, e.g. svnuser<\/code>. Save your PuTTY session as before and try the following URL inside TortoiseSVN:<\/p>\n
svn+ssh:\/\/SvnConnection\/repos\n<\/pre>\n
This time we only provide the PuTTY session SvnConnection<\/code> to the SSH client TortoiseSVN uses (TortoisePlink.exe). This client will check the session for all necessary details.<\/p>\n
At the time of writing PuTTY does not check all saved configurations, so if you have multiple configurations with the same server name, it will pick the first one which matches. Also, if you edit the default configuration and save it, the auto login user name is not<\/em> saved.<\/p>\n
Many people like to use Pageant for storing all their keys. Because a PuTTY session is capable of storing a key, you don’t always need Pageant. But imagine you want to store keys for several different servers; in that case you would have to edit the PuTTY session over and over again, depending on the server you are trying to connect with. In this situation Pageant makes perfect sense, because when PuTTY, Plink, TortoisePlink or any other PuTTY-based tool is trying to connect to an SSH server, it checks all private keys that Pageant holds to initiate the connection.<\/p>\n
For this task, simply run Pageant and add the private key. It should be the same private key you defined in the PuTTY session above. If you use Pageant for private key storage, you can delete the reference to the private key file in your saved PuTTY session. You can add more keys for other servers, or other users of course.<\/p>\n
If you don’t want to repeat this procedure after every reboot of your client, you should place Pageant in the auto-start group of your Windows installation. You can append the keys with complete paths as command line arguments to Pageant.exe.<\/p>\n
The last way to connect to an SSH server is simply by using this URL inside TortoiseSVN:<\/p>\n
svn+ssh:\/\/svnuser@100.101.102.103\/repos\nsvn+ssh:\/\/svnuser@mydomain.com\/repos<\/pre>\n
As you can see, we don’t use a saved PuTTY session but an IP address (or domain name) as the connection target. We also supply the user, but you might ask how the private key file will be found. Because TortoisePlink.exe is just a modified version of the standard Plink tool from the PuTTY suite, TortoiseSVN will also try all the keys stored in Pageant.<\/p>\n
If you use this last method, be sure you do not have a default username set in PuTTY. We have had reports of a bug in PuTTY causing connections to close in this case. To remove the default user, simply clear HKEY_CURRENT_USERSoftwareSimonTathamPuttySessionsDefault%20SettingsHostName<\/code>.<\/p>\n<\/div>\n<\/div>\n
<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
http:\/\/tortoisesvn.net\/ssh_howto.html Securing Svnserve using SSH This section provides a step-by-step guide to setting up Subversion and TortoiseSVN to use the svn+ssh protocol. If you already use authenticated SSH connections to login to your server, then you are already there and you can find more detail in the Subversion book. If you are not using SSH but would like to do so to protect your Subversion installation, this guide gives a simple method which does not involve creating a separate SSH user account on the server for every subversion user. In this implementation we create a single SSH user account for all subversion users, and use different authentication keys to differentiate between the real Subversion users. In this appendix we assume that you already have the subversion tools installed, and that you have created a repository as detailed elsewhere in this manual. Note that you should not start svnserve as a service or daemon when used with SSH. Much of the information here comes from a tutorial provided by Marc Logemann, which has been archived at tortoisesvn.net. Additional information on setting up a Windows server was provided by Thorsten M\u00fcller. Thanks guys! You can also watch a video tutorial created by […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"ngg_post_thumbnail":0,"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[5],"tags":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5q9Zn-bg","jetpack-related-posts":[{"id":716,"url":"https:\/\/blog.box.kr\/?p=716","url_meta":{"origin":698,"position":0},"title":"CentOS SSH Installation And Configuration","date":"2015-04-15","format":false,"excerpt":"http:\/\/www.cyberciti.biz\/faq\/centos-ssh\/ \u00a0 How do I install and configure ssh server and client under CentOS Linux operating systems? You need to install the following packages (which are installed by default until and unless you removed it or skipped it while installing CentOS) openssh-clients : The OpenSSH client applications openssh-server : The\u2026","rel":"","context":"In "\uae30\uc220\uc790\ub8cc"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":558,"url":"https:\/\/blog.box.kr\/?p=558","url_meta":{"origin":698,"position":1},"title":"OSX\uc5d0\uc11c GIT \uc11c\ubc84 \uc124\uc815 \ud558\uae30","date":"2015-01-25","format":false,"excerpt":"* Shell \uc5d0\uc11c \uc0ac\uc6a9\uc790 \ucd94\uac00 !! 1. \"sudo dscl . -create \/Users\/username UserShell \u00a0\/bin\/bash\" 2. \"sudo dscl . -create\u00a0\/Users\/username\u00a0RealName \"John Doth\"\" 3. \"sudo dscl . -create\u00a0\/Users\/username\u00a0UniquelID 1001\" 4.\u00a0\"sudo dscl . -create\u00a0\/Users\/username\u00a0PrimaryGroupID\u00a01000\" 5.\u00a0\"sudo dscl . -create\u00a0\/Users\/username\u00a0NFSHomeDirectory \/Local\/Users\/username\" 6.\u00a0\"sudo dscl . -create\u00a0\/Users\/username\u00a0password\" \u00a0 \u00a0<<= \uc554\ud638 \uc785\ub825 * GIT\uc124\uce58 1. \uc0ac\uc6a9\uc790 \"git-admin\" \u00a0\ucd94\uac00\u2026","rel":"","context":"In "\uc77c\uc0c1"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":158,"url":"https:\/\/blog.box.kr\/?p=158","url_meta":{"origin":698,"position":2},"title":"how to set the idle-timeout in linux SSH","date":"2014-07-06","format":false,"excerpt":"in \/etc\/ssh\/sshd_config insert \u00a0 ClientAliveInterval 600 ClientAliveCountMax 3 \u00a0 That will give you an timeout of 30 minutes (600 sec x 3)","rel":"","context":"In "Linux"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":107,"url":"https:\/\/blog.box.kr\/?p=107","url_meta":{"origin":698,"position":3},"title":"\ub9ac\ub205\uc2a4\uc5d0\uc11c Subversion \uc124\uce58 \ubc0f \uc0ac\uc6a9\ud558\uae30","date":"2014-06-13","format":false,"excerpt":"\u00a0 1. Subversion \uc744 \uc124\uce58\ud574\ubcf4\uc790 \uc774\uc7ac\ud64d\ub2d8\uc774 \uc791\uc131\ud558\uc2e0 Subversion \uc0ac\uc6a9\ubc95(http:\/\/www.pyrasis.com\/main\/Subversion-HOWTO)\uc5d0 \ub098\uc628 \ub0b4\uc6a9\uacfc AnNyung Linux 1.2R3\uc5d0 Subversion 1.3.1 \uc124\uce58(http:\/\/blog.naver.com\/nolimit_gc\/90003599559) \ub0b4\uc6a9\uc744 \ucc38\uace0\ud558\uc5ec \ub0b4 \ub9ac\ub205\uc2a4 \uc11c\ubc84\uc5d0 Subversion\uc744 \uc124\uce58\ud560\ub824\uace0 \ud588\ub2e4.\u00a0Subversion\uc744 \uc124\uce58\ud560\ub824\uba74 \uba87\uac00\uc9c0 \uad00\ub828 \ud328\ud0a4\uc9c0\ub97c \uc124\uce58\ud574\uc57c\ud558\ub294\ub370 \uc544\ub798\uc640 \uac19\uc774 \uc758\uc874\uc131 \ubb38\uc81c\ub85c \uc124\uce58\ub97c \ud560 \uc218 \uc5c6\ub294 \uac83\uc774 \uc544\ub2cc\uac00? \ub098\ucc98\ub7fc \ub9ac\ub205\uc2a4 \ucd08\uc790\uac00 \uc774\ub7f0\ubb38\uc81c\ub97c \uae08\ubc29\ud574\uacb0\ud558\ub294 \uac83\uc740 \uac70\uc758 \ubd88\uac00\ub2a5\ud574\ubcf4\uc600\ub2e4. # rpm\u2026","rel":"","context":"In "SVN"","img":{"alt_text":"\u00ec\u0082\u00ac\u00ec\u009a\u00a9\u00ec\u009e\u0090 \u00ec\u0082\u00bd\u00ec\u009e\u0085 \u00ec\u009d\u00b4\u00eb\u00af\u00b8\u00ec\u00a7\u0080","src":"http:\/\/cfile6.uf.tistory.com\/image\/1777E6124ADC2C4E5361A9","width":350,"height":200},"classes":[]},{"id":826,"url":"https:\/\/blog.box.kr\/?p=826","url_meta":{"origin":698,"position":4},"title":"[scrap]50 UNIX \/ Linux Sysadmin Tutorials","date":"2015-05-20","format":false,"excerpt":"http:\/\/www.thegeekstuff.com\/2010\/12\/50-unix-linux-sysadmin-tutorials\/ \u00a0 Merry Christmas and Happy Holidays to all TGS Readers. To wrap this year, I\u2019ve collected 50 UNIX \/ Linux sysadmin related tutorials that we\u2019ve posted so far. This is lot of reading. Bookmark this article for your future reference and read it whenever you get free time. Disk\u2026","rel":"","context":"In "\uae30\uc220"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":811,"url":"https:\/\/blog.box.kr\/?p=811","url_meta":{"origin":698,"position":5},"title":"[scrap]Linux ssh \ucd08\uae30 \ubcf4\uc548 \uc124\uc815","date":"2015-05-18","format":false,"excerpt":"http:\/\/simonshin.egloos.com\/2247508 \u00a0 \/bin\/su File chattr -i \/bin\/su chown root.wheel \/bin\/su chmod 4750 \/bin\/su chattr +i \/bin\/su \/etc\/ssh\/sshd_config File \ud30c\uc77c\uc744 \uc5f4\uc5b4\uc11c\u00a0 \uc544\ub798 \uc0ac\ud56d\ub4e4\uc774 \ud65c\uc131\ud654 \ub420 \uc218 \uc788\ub3c4\ub85d \uc218\uc815 \ud55c\ub2e4. PermitRootLogin no AllowUsers UserID AllowGroups wheel \/etc\/group File \ud30c\uc77c\uc744 \uc5f4\uace0 \uc544\ub798 \uc0ac\ud56d\uacfc \uac19\uc774 \uc124\uc815 \ud55c\ub2e4. wheel:x:10:root,UserID sshd \ub370\ubaac\uc744 \uc7ac \uc2dc\uc791 \uc2dc\ucf1c \uc900\ub2e4.","rel":"","context":"In "Linux"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/blog.box.kr\/index.php?rest_route=\/wp\/v2\/posts\/698"}],"collection":[{"href":"https:\/\/blog.box.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.box.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.box.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.box.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=698"}],"version-history":[{"count":0,"href":"https:\/\/blog.box.kr\/index.php?rest_route=\/wp\/v2\/posts\/698\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.box.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.box.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.box.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}