getting access to a firewalled subversion repository

A small firm has a Subversion server located in a local network. The network is secured by a firewall. The task: give access to the Subversion server from the outside, both to Linux and Windows users. The solution should be as secure as possible.

Initial data:

* svnserver, 192.168.x.yy -- the Subversion server
* repo -- name of a Subversion repository
* svn://svnserver/repo/ -- the repository URL for the local users
* fwserver.dyndns.org -- Internet address of the firewall

High-level solution description:

Subversion can work over a tunnel, in particular, over a tunnel created by ssh. In my solution, clients think they establish a tunnel to fwserver.dyndns.org, but in fact the tunnel continues to svnserver.

Checking a local tunnel

Checking that it's possible to make a tunnel from fwserver to svnserver:

$ netcat 192.168.x.yy 3690
( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) ) ^C punt!

Making a special user

Let make a special user svnuser which will be used only for accessing Subversion. Don't set a password for svnuser. Authorization should be performed only through the ssh keys.

# useradd -c 'subversion access for an user' -m svnuser

Key authentification

It should be possible to login from an Internet computer to fwserver.dyndns.org as user svnuser without password:

client:~ $ ssh svnuser@fwserver.dyndns.org
Last login: Wed May 25 12:10:00 2005 from client.example.com
Have a lot of fun...
fwserver:~ $

Making key authentification work is described in many tutorials.

Making a tunnel

It's possible to execute a command when an user authentificates using keys. The file ~svnuser/.ssh/authorized_keys2 should contain an entry like this:

command="/usr/bin/netcat 192.168.x.yyy 3690",no-pty,no-port-forw
arding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1
yc2EAAAAB . . . . . . . 8Lw== user@client

Note the command entry. Other options add more security.

Now it's possible to test the tunnel:

$ ssh svnuser@fwserver.dyndns.org
( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )
^C Connection to fwserver.dyndns.org closed.
$

Testing access

The tunnel is established, and now it's possible to use the tunnel:

$ svn list svn+ssh://svnuser@fwserver.dyndns.org/repo/
Folder/
Catalogue/
Directory/
. . .

Getting ssh for Windows

I don't know which ssh client should be used with Subversin under Windows. I use PuTTY. I installed it into the folder c:\util\putty.

To generate keys, run the program puttygen.exe. Save the private key as svnuser.ppk. On the fwserver.dyndns.org, add the public key to the file ~svnuser/.ssh/authorized_keys2. The data for this file is displayed in the text field "Public key for pasting into OpenSSH authorized_keys file". Use the same set of options as for the Linux key.

Check that channel works:

C:\\> C:\\util\\putty\\plink.exe -i C:\\util\\putty\\svnuser.ppk
  svnuser@bitplant.dyndns.org
Using username "svnuser".
Server refused to allocate pty
( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )

Configuring TortoiseSVN

TortoiseSVN is a Windows GUI to (Sub)Version Control.

Run TortoiseSVN, the menu Settings. In the TortoiseSVN Settings/tt> window, on the Network tab, specify the following SSH client:

C:\\util\\putty\\PLINK.EXE -i C:\\util\\putty\\svnuser.ppk -batch

In order to test the connection, run the Repo-Browser. The repository URL is the same as under Linux:

svn+ssh://svnuser@fwserver.dyndns.org/repo/

Unfortunately, black DOS windows appear while working with the repository. But it's better than no access at all.

Categories: Generative XML

Updated: