Setting up Subversion for multiple users and/or projects
The following document explains how to set up subversion on the UW IT maintained Unix machines (which go by the name homer.u.washington.edu) so that multiple users (and/or projects, if you are so inclined) can work together using a single account. Much of this information was gleaned from http://wiki.site5.com/SVN/Subversion_(SVN)_Setup_Guide, plus information on setting up ssh to run specific commands for logins with particular keys. There are two parts to this: setting up the repository and setting up the user logins.
There are two aspects to repository setup: svn and ssh. I won't go much into svn setup itself, other than to indicate that I'm assuming that the repository directory (on home, for example) is
~/svn, with configuration files in
~/.subversion (on the user machines). You'll need to read up on svn enough to set up the repository (or else, someone will need to edit a tutorial here). You'll also need to set up a shared account (either course or departmental) for your project(s) using the UW IT Shared UW NetID Account Request Form.
The ssh setup is a neat trick. The idea is that you can attach, to each public key, a command that is run when a user logs in with that key. This allows for secure connections, authentication, restriction of access on a per-user basis, and the ability for single users to be able to connect in multiple ways to the same account (simply by using different keys). The basic idea is to use the extended syntax of the
command="[Unix command here]" ssh-rsa [RSA-PUBLIC-KEY-HERE]
In this case, we will use the
svnserve command, with options set on a per-key basis to indicate the user and repository path. The resultant line in the
authorized_keys file is:
command="/usr/local/bin/svnserve --tunnel --tunnel-user=[UWNetID] --root=/path/to/home/svn",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa [RSA-PUBLIC-KEY-HERE] user@uw1-320-lab
Whoever controls the project account on homer can create one of these lines for each user; indeed a single user can have multiple keys, each “attached” to multiple commands. As long as the command involved doesn't allow for creation of subshells, users won't have general access to the project account. Note that I suggest using the UW Net ID as the user identity for svn purposes, but that is not a requirement and it is not used as part of the authentication process.
Each user should create an RSA key pair specially for this purpose. To do so, on Linux or Mac 1) the user should do the following at the command line:
ssh-keygen -t rsa -f id_rsa-svn
Note that the user could use any name for the key pair files; I merely suggest a unique one to prevent it from being confused with other ones. The password can be left blank (but if you're feeling paranoid a password can be entered). This will create two files called
id_rsa-svn (the private key that should only be kept on the computers the user plans to run a subversion client on; keep it secure there) and
id_rsa-svn.pub (the public key which will be needed on the project account side).
The public key should be emailed to whomever manages the project account, who will put in in the
authorized_keys file as described above.
Configure a svn client
From a Linux/Mac command line 2), svn can be configured by editing
~/.subversion/config to include the following line under the
homer = /usr/bin/ssh -p 22 -q -l [repository-UID] -i /path/to/home/.ssh/id_rsa-svn
This creates a “svn+homer” tunnel scheme (where you need to change “/path/to/home/.ssh/id_rsa-svn” to be the full path to your private key and “[repository-UID]” to the repository account user ID on the server). You can change “homer” to whatever you'd like the tunnel scheme to be named. For configuring other clients, see http://wiki.site5.com/SVN/Subversion_(SVN)_Setup_Guide near the bottom for clues. From the command line, you can try
svn --verbose list svn+homer://homer.u.washington.edu/Projectname/trunk
to list the
Projectname project files in the main, trunk directory (I think that's the way it should be set up). Of course, this will only work once the project account manager have your public key and has set it up.