This file describes how to use the sshd "command" directive to set up svn+ssh with any or all of the following properties: (1) Specify a full path to the svnserve binary (2) Specify a repository root as one can with the svnserve daemon (3) Avoid giving full shell access to an svn user (4) Use a single Unix account for multiple svn users This file will assume that the server is using openssh on a Unix-like host. The same tricks may work for other server setups, but changes may need to be made to the details. These tricks require that you use public-key authentication; they will not work with password authentication. These tricks also assume that the client's key-pair is used only for access to svnserve; if you want to retain general shell access to the host, create a second, dedicated key-pair for Subversion access and (assuming a Unix client) set the environment variable SVN_SSH to "ssh -i /path/to/private/key/file --". The basic idea -------------- To set up public key authentication on the server, you create a file $HOME/.ssh/authorized_keys, where $HOME is the home directory of the Unix account being used for svnserve on the server. Each line of the file is typically copied from a client's public key file, and looks something like: ssh-rsa AAAABlotsmoregookhere= address@example.com The first field specifies the type of the key, the second is the key itself in uuencoded format, and the third is a comment which humans can use to identify what the key is. In the future, we'll write these three fields as "TYPE KEY COMMENT" The basic trick, then, is to add a directive to this line telling sshd to ignore the client's specified command and run a different command instead. The line in the authorized_keys file will then look like: command="COMMAND" TYPE KEY COMMENT For svn+ssh access, the client generally specifies the command "svnserve -t"; the following tricks will modify the command in various ways. Trick #1: Specify a full path to the svnserve binary ---------------------------------------------------- For this trick, specify a command like: command="/full/path/to/svnserve -t" TYPE KEY COMMENT Trick #2: Specify a repository root ----------------------------------- For this trick, add a -r option to the svnserve command: command="svnserve -t -r /repository/root" TYPE KEY COMMENT Trick #3: Avoid giving full shell access to an svn user ------------------------------------------------------- For this trick, it isn't necessary to modify the command at all. We just need to make sure that the client doesn't run any other commands. However, you should also use the "no-port-forwarding" option to prevent the client from tunneling to other ports: command="svnserve -t",no-port-forwarding TYPE KEY COMMENT You may also wish to specify the options "no-pty", "no-agent-forwarding", and "no-X11-forwarding", just to give the client less wiggle room. Trick #4: Use a single Unix account for multiple svn users ---------------------------------------------------------- For this trick, establish a distinct key pair for each of the svn users, list all of the public keys in the authorized_users file, and specify the "--tunnel-user" directive in the command for each entry: command="svnserve -t --tunnel-user=alice" TYPE1 KEY1 COMMENT1 command="svnserve -t --tunnel-user=bob" TYPE2 KEY2 COMMENT2 As with trick #3, it may be wise to specify "no-port-forwarding" and perhaps the other restriction options to prevent the users from obtaining other kinds of access. The --tunnel-user option is new in svn 1.1.0, so this trick will not work if the server has svn 1.0.x. Combining the tricks -------------------- Here's an example of how you might combine all four tricks: command="/path/to/svnserve -t -r /repository/root --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 COMMENT1 command="/path/to/svnserve -t -r /repository/root --tunnel-user=bob",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE2 KEY2 COMMENT2