Setting Up Subversion (SVN) with SSH (svn+ssh)

This is a quick guide on how to setup subversion using svn+ssh. svn+ssh lets us tunnel a subversion session over the secure SSH protocol, which means all data and passwords are encrypted. I like setting subversion up this way because:

  1. it authenticates against a real user account, so you don’t have to maintain a seperate set of subversion logins and passwords.
  2. it is secure, so you don’t have to worry about data or passwords being intercepted in transit.

This was done on CentOS, but the instructions apply to most any OS.

Server Setup

  1. Install Subversion. The mechanics of installing it vary OS by OS; see the ‘Getting subversion’ page for more. On CentOS, you’ll do: 

    yum install subversion
  2. Create a Repository. This is where all your files will be stored. You can put this anywhere; I generally think /var/svn/repos is a good place. Call your repo whatever you want; I used ‘my_code’: 

    mkdir /var/svn
    mkdir /var/svn/repos
    svnadmin create /var/svn/repos/my_code
  3. Setup a svn group. You’ll need all your users to be members of the same group. I generally setup ansvn group, and give access to anybody who needs to access subversion.
  4. Give your group ownership of the repos directory. chown -R :svn /var/svn/repos/
  5. Set permissions on same. chmod -R 775 /var/svn/repos/
  6. Setup a user for each person who needs svn access.
    Example:
    Add Users:
    useradd -d /home/bobsmith -s /bin/bash -c “Bob Smith” bobsmith passwd bobsmith
    Add Groups:
    users:x:100:dordal,smith,bones
    chown -R :marketing myfiles
    chmod -R g+s myfiles
  7. Add those users to the svn group.
  8. Create a wrapper for svnserve. svnserve is the server component of subversion; when your subversion client connects via SSH, it spawns an instance of svnserve running under your user account. The problem here is the ‘under your user account‘ part; that means it is running under your user account’s permissions setup. By default, your permissions don’t allow anyone else access to your files, and yet svnserve is going to be writing files in the common user directory at /var/svn/reposthat everyone needs write access to. Therefore, we can create a wrapper script that sets a umask for group-writable peermissions right before svnserve is called: 

    #!/bin/sh 
    
    # set the umask so files are group-wriable
    umask 002
    
    # call the 'real' svnserve, also passing in the default repo location
    exec /usr/bin/svnserve "$@" -r /var/svn/repos
    or
    exec /usr/local/bin/svnserve.bin -r /path/to/repository/root "$@"

    Save this somewhere, like /var/svn/svnwrapper.sh. Make a symlink in /usr/local/bin:

    cd /usr/local/bin
    ln -s /var/svn/svnwrapper.sh svnserve
    chmod 755 /var/svn/svnwrapper.sh

    Update 2 Dec 2010: Per the comments from Fred & Timothy Boronczyk, I now recommend that you put the symlink in /usr/local/bin rather than /usr/bin as I originally recommended. This means you avoid having to move the original svnserve binary in /usr/bin. The above scripts have been updated to reflect this new approach.

  9. Import your initial directory set. Generally, you’ll want a set of directories called ‘trunk’, ‘tags’ and ‘branches’ at the lowest level of your repository. To get this setup: 

    mkdir code
    mkdir code/trunk
    mkdir code/tags
    mkdir code/branches
    svn import code svn+ssh://USERNAME@SERVER/my_code -m 'inital import'
    rm -rf code

That’s it. The server is now setup.

Client Setup

To checkout files, go to your local machine and issue a checkout command:
svn co svn+ssh://USERNAME@SERVER/my_code my_code_local_dir
Thank You for visiting my site.

Posted by subashstha

Leave a Reply