Using SSH with svnserve

In the introduction to svnserve article, we saw how useful and lightweight svnserve is and even secured it against unauthorised access.

That was fine over an Office LAN or other trusted network, but we need a secure connection if we are using an untrusted network such as the internet. Using the SSH protocol with svnserve is the answer.

As we proceed, remember that the repository locations and project names are carried over from the introductions to subversion and svnserve.

The SSH protocol will ensure a secure connection is established before checking out or committing changes to your subversion repository.

I assume you have SSH setup and configured and you are able to log into your VPS or server using SSH. If not, you will need to configure SSH before proceeding.

The syntax for using SSH is very similar to the one already used:

svn co svn+ssh://123.45.67.890/home/paul/repository/project1/trunk project1

Note the difference in the addition of 'svn+ssh' and the path to the repository is absolute.

You can try it straight away but you may find an error as follows:

svn co svn+ssh://123.45.67.890/home/paul/repository/project1/trunk project1
ssh: connect to host 123.45.67.890 port 22: Connection refused

The error speaks for itself - I can't access the default SSH port (port 22). The reason for this is simple: I have a custom port for my SSH access - in my case it is 30000.

So now a little adjustment to the local machine's configuration files is needed so that it uses the custom SSH port.

On a Linux/unix machine it is located in:

/home/username/.subversion

On a windows machine it is located at:

%APPDATA%\Subversion

Open the file in a text editor:

nano .subversion/config

As with the svnserve.conf, most is commented out and consists of instructions but the section we want is titled [tunnels].

Under the [tunnels] heading add the following line:

project1ssh = /usr/bin/ssh -p 30000 -l paul

Firstly I created a name, in this case I used 'project1ssh'. Then I specified the full path to the ssh binary. This is a simple security precaution so it uses the correct binary and not another one placed in your $PATH.

I then added two standard option, the first being the port to use and then the SSH user to log in as.

You can add as many of these 'tunnels' as you require so you can have SSH access to many different machines with different repositories (Naturally, you will have to be an authorised SSH user, it won't work on a random basis).

Let's try again using the newly created project1ssh:

svn co svn+project1ssh://123.45.67.890/home/paul/repository/project1/trunk project1

Success! This logged onto the VPS using the SSH protocol and securely checked out project1/trunk from the subversion repository to our local project1 folder.

One last thing. Accessing your repository in this secure manner does mean you can turn off svnserve and block port 3690 again.

The reason for this is that SSH creates a temporary svnserve instance. However, it does still use the svnserve.conf anon-access and auth-access settings.

For example, if svnserve.conf had: