Setting up Subversion for multiple users and/or projects

The following document explains how to set up subversion on the UW IT maintained Unix machines (which go by the name so that multiple users (and/or projects, if you are so inclined) can work together using a single account. Much of this information was gleaned from, plus information on setting up ssh to run specific commands for logins with particular keys. There are two parts to this: setting up the repository and setting up the user logins.

The Repository

There are two aspects to repository setup: svn and ssh. I won't go much into svn setup itself, other than to indicate that I'm assuming that the repository directory (on home, for example) is ~/svn, with configuration files in ~/.subversion (on the user machines). You'll need to read up on svn enough to set up the repository (or else, someone will need to edit a tutorial here). You'll also need to set up a shared account (either course or departmental) for your project(s) using the UW IT Shared UW NetID Account Request Form.

The ssh setup is a neat trick. The idea is that you can attach, to each public key, a command that is run when a user logs in with that key. This allows for secure connections, authentication, restriction of access on a per-user basis, and the ability for single users to be able to connect in multiple ways to the same account (simply by using different keys). The basic idea is to use the extended syntax of the ~/.ssh/authorized_keys file:

command="[Unix command here]" ssh-rsa [RSA-PUBLIC-KEY-HERE]

In this case, we will use the svnserve command, with options set on a per-key basis to indicate the user and repository path. The resultant line in the authorized_keys file is:

command="/usr/local/bin/svnserve --tunnel --tunnel-user=[UWNetID] --root=/path/to/home/svn",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa [RSA-PUBLIC-KEY-HERE] user@uw1-320-lab

Whoever controls the project account on homer can create one of these lines for each user; indeed a single user can have multiple keys, each “attached” to multiple commands. As long as the command involved doesn't allow for creation of subshells, users won't have general access to the project account. Note that I suggest using the UW Net ID as the user identity for svn purposes, but that is not a requirement and it is not used as part of the authentication process.

User Logins

Each user should create an RSA key pair specially for this purpose. To do so, on Linux or Mac 1) the user should do the following at the command line:

ssh-keygen -t rsa -f id_rsa-svn

Note that the user could use any name for the key pair files; I merely suggest a unique one to prevent it from being confused with other ones. The password can be left blank (but if you're feeling paranoid a password can be entered). This will create two files called id_rsa-svn (the private key that should only be kept on the computers the user plans to run a subversion client on; keep it secure there) and (the public key which will be needed on the project account side).

The public key should be emailed to whomever manages the project account, who will put in in the authorized_keys file as described above.

Configure a svn client

From a Linux/Mac command line 2), svn can be configured by editing ~/.subversion/config to include the following line under the [tunnels] section:

homer = /usr/bin/ssh -p 22 -q -l [repository-UID] -i /path/to/home/.ssh/id_rsa-svn

This creates a “svn+homer” tunnel scheme (where you need to change “/path/to/home/.ssh/id_rsa-svn” to be the full path to your private key and “[repository-UID]” to the repository account user ID on the server). You can change “homer” to whatever you'd like the tunnel scheme to be named. For configuring other clients, see near the bottom for clues. From the command line, you can try

svn --verbose list svn+homer://

to list the Projectname project files in the main, trunk directory (I think that's the way it should be set up). Of course, this will only work once the project account manager have your public key and has set it up.

1) I'm not sure how to do this on Windows; someone should add that info.
2) Again, perhaps someone can weigh in on Windows

The best way to find something here is to use the search box in the upper right or the site index link below.

Mobile QR Link