I'm having some trouble configuring a website hosting server (ex. website.com) that only has one primary user account (ex. ownername), to allow the following:
- Users me and friend appear as
the usernames in svn log entries, and - Users me and friend have
shell access via SSH
So, I setup my private/public key pair on my local machine (laptop) and copied the public key to website.com's /home/ownername/.ssh/authorized_keys file. I added this command argument to the line:
command="svnserve -t --tunnel-user=me -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop
Where /home/ownername/svn/ is the location of the Subversion repository. This allows me to use:
[laptop]$ svn co svn+ssh://ownername@website.com/svn/ project
and any changes I make to project using Subversion has me listed as the user in the change comments, which is great.
However, when I go to login via ssh:
[laptop]$ ssh ownername@website.com
( success ( 1 2 ( ANONYMOUS ) ...
Connection closed.
[laptop]$
So, is what I'm trying to do even possible? I honestly don't know enough about ssh tunnels to know what to do. There are numerous websites which discuss limiting or removing shell access to svn clients, but of course I want the shell access in addition to a custom username for me and friend.
Any help is appreciated!
Solution:
I simply set up two different id_rsa keys: id_rsa_shell and id_rsa_svn. I appended these to the server's .ssh/authorized_keys file. Then, for the "shell" key I put no command, and the "svn" key the svnserve with arguments. Then, on the laptop, I set up the .ssh/config file to have two entries: website-shell and website-svn, each with IdentityFile set to point to the respective keys. ssh website-shell worked as expected. For the svn command, in .subversion/config, under [tunnels] I put:
website = ssh -p XXXX -i /home/emptyset/.ssh/id_rsa_svn
Now, this got my checkout working:
$ svn co svn+website://website-svn/svn checkoutdirectory
Testing the commits verified the svnserve –tunnel-user argument worked to put my alias in the svn commit. Note it respects the website-svn alias defined in .ssh/config.
Sweet. 🙂
Best Answer
I wanted to comment on this yesterday but backed off waiting for someone more knowledgeable in this particular setup. Working from what you have said you can setup multiple users on the same account by having separate keys each setup to a different command structure. I,e user Bob would have a key command="svnserve -t --tunnel-user=Bob -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop
and Jane would be command="svnserve -t --tunnel-user=Jane -r /home/ownername/" ssh-rsa someother..eQ== laptoplogin@laptop
Now by the same logic you could set up a third shared key between you that just executes bash, or share the account password to login without keyless ssh and get access to the shell.
That being said, on an aside, you may just want to take a look at Mercurial or Git, both of which make centrally hosted development on a repository dead-simple and are far more powerful and flexible than svn.