getting access to a firewalled subversion repository
A small firm has a Subversion server located in a local network. The network is secured by a firewall. The task: give access to the Subversion server from the outside, both to Linux and Windows users. The solution should be as secure as possible.
Initial data:
* svnserver, 192.168.x.yy -- the Subversion server
* repo -- name of a Subversion repository
* svn://svnserver/repo/ -- the repository URL for the local users
* fwserver.dyndns.org -- Internet address of the firewall
High-level solution description:
Subversion can work over a tunnel, in particular, over a tunnel created by ssh. In my solution, clients think they establish a tunnel to fwserver.dyndns.org, but in fact the tunnel continues to svnserver.
Checking a local tunnel
Checking that it's possible to make a tunnel from fwserver to svnserver:
$ netcat 192.168.x.yy 3690 ( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) ) ^C punt!
Making a special user
Let make a special user svnuser which will be used only for accessing Subversion. Don't set a password for svnuser. Authorization should be performed only through the ssh keys.
# useradd -c 'subversion access for an user' -m svnuser
Key authentification
It should be possible to login from an Internet computer to fwserver.dyndns.org as user svnuser without password:
client:~ $ ssh svnuser@fwserver.dyndns.org Last login: Wed May 25 12:10:00 2005 from client.example.com Have a lot of fun... fwserver:~ $
Making key authentification work is described in many tutorials.
Making a tunnel
It's possible to execute a command when an user authentificates using keys. The file ~svnuser/.ssh/authorized_keys2 should contain an entry like this:
command="/usr/bin/netcat 192.168.x.yyy 3690" ,no-pty,no-port-forw arding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1 yc2EAAAAB . . . . . . . 8Lw== user@client
Note the command entry. Other options add more security.
Now it's possible to test the tunnel:
$ ssh svnuser@fwserver.dyndns.org ( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) ) ^C Connection to fwserver.dyndns.org closed. $
Testing access
The tunnel is established, and now it's possible to use the tunnel:
$ svn list svn+ssh://svnuser@fwserver.dyndns.org/repo/ Folder/ Catalogue/ Directory/ . . .
Getting ssh for Windows
I don't know which ssh client should be used with Subversin under Windows. I use PuTTY. I installed it into the folder c:\util\putty.
To generate keys, run the program puttygen.exe. Save the private key as svnuser.ppk. On the fwserver.dyndns.org, add the public key to the file ~svnuser/.ssh/authorized_keys2. The data for this file is displayed in the text field "Public key for pasting into OpenSSH authorized_keys file". Use the same set of options as for the Linux key.
Check that channel works:
C:\\> C:\\util\\putty\\plink.exe -i C:\\util\\putty\\svnuser.ppk svnuser@bitplant.dyndns.org Using username "svnuser". Server refused to allocate pty ( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )
Configuring TortoiseSVN
TortoiseSVN is a Windows GUI to (Sub)Version Control.
Run TortoiseSVN, the menu Settings. In the TortoiseSVN Settings/tt> window, on the Network tab, specify the following SSH client:
C:\\util\\putty\\PLINK.EXE -i C:\\util\\putty\\svnuser.ppk -batch
In order to test the connection, run the Repo-Browser. The repository URL is the same as under Linux:
svn+ssh://svnuser@fwserver.dyndns.org/repo/
Unfortunately, black DOS windows appear while working with the repository. But it's better than no access at all.