By mock on Sep 26, 2007
Before I forget how I did it, I figured I should probably document some steps on how I set up a Subversion repository on Solaris so that it can be accessed over SSH, using svn+ssh:// URLs.
The Tunneling over SSH section in the Version Control with Subversion book actually does a pretty good write up of the basics. The main tweak that I did with Solaris was to beef security slightly by creating a Solaris Role on the repository server which can only execute a limited number of subversion commands. Here's what I did.
First off, I created a RBAC profile called "Source Code Shell" which can run only the svnserve command, and runs it as the source code management user I had previously created called scm
cat >> /etc/security/exec_attr Source Code Shell:suser:cmd:::/opt/svn-1.4.0/bin/svnserve:uid=scm Source Code Shell:suser:cmd:::/opt/svn/bin/svnserve:uid=scm cat >> /etc/security/prof_attr Source Code Shell:::Access Subversion Only:
Ok that was easy enough. There are probably some more appropriate commands to use than just adding to the files directly. I should probably look into that.
Next, I need to create a role to assign this new profile to. The user name will be src
useradd -d /export/home/src -m -c "Source Code User" -s /usr/bin/pfsh -g 100 -u 242 src passwd -N src
And assign the RBAC Profile to the src user.
usermod -P "Source Code Shell" src
Now, the rest of this is pretty much all described in the "Tunneling over SSH" section mentioned earlier. Essentially what is done is to use the public-key authentication mechanisms in SSH to identify the incoming user and automatically start up the svnserve command in tunnel mode.
This is accomplished by adding lines to the src user's authorized_keys file for each user who will be accessing the repository. The one thing you need for each user is their public-key file(s), typically id_dsa.pub or id_rsa.pub The format of the lines in authorized_keys is
command="/path/to/svnserve -t OPTIONS" KEY-TYPE KEY KEY-COMMENT
The -t option puts svnserve in tunnel-mode. There are a bunch of options you can pass to svnserv, but the most common ones are --tunnel-user to specify the username of the remote user and -r to specify a virtual root for the repository. The former allows subversion to recognize each user as their real username instead of the src user, so things like permissions work. The later allows you to hide the real path to the repository which can help shorten URLs and provide some abstration from the physical location in case you ever want to move it.
In my case, lines in authorized_keys are looking like
command="/opt/svn/bin/svnserve -t -r /app/repos/svn --tunnel-user=mock" ssh-dss KEY mock@watt
Not very painful at all. Actually what is the more painful part is trying to get NetBeans on Windows to access Subversion over SSH. I'll write that up soon.