ssh part of svn+ssh not working?

[Greg Willits <li...@gregwillits.ws>]

OS X 10.5.2, svn 1.4.4, OpenSSH_4.5p1, OpenSSL 0.9.7l

It's either trouble with my ssh setup or my understanding of how it  
should work...

After reading oodles and oodles of blogs and articles (mostly about  
Linux of course), I get the impression, that I should be able to use  
ssh-keygen and authorized_keys to create a collection of "users" that  
are not "real" OS users which should still be able to log into the  
system.

Symptom:

when I attempt to use ssh via keys, I still get prompted to enter a  
password (which doesn't exist). From everything I read, I am  
expecting this to not happen.

Here's what I have done:

-- used ssh-keygen to create svnkey and svnkey.pub files. (For now,  
no passphrases.)

-- placed the svnkey file in the client computer's user home /.ssh  
folder (/Users/DUDE/.ssh/svnkey)

-- made sure owner = the user, and perms is rw for the owner only

-- on the server, there's a user named "svn" with a home folder  
(where all the repos go) in which I created the .ssh/authorized_keys  
file. I used cat to append the svnkey.pub and then modify that entry  
with a command="" component according to all the svn docs.

-- again, perms are set so the file is owned by the svn user, and rw  
for that owner only.

Now, what I believe everything I have read tells me is that I should  
be able to use the svn commands like this:

    svn list svn+ssh://{server.domain}/path/to/repo

and I should not be prompted for a password because the SSH keys will  
be used.

However, I always get prompted for a password. So either I'm  
misunderstanding, missing some steps, or still have some perms wrong  
somewhere.

Any suggestions?

Thanks.

-- gw

Re: ssh part of svn+ssh not working?

[Greg Willits <li...@gregwillits.ws>]

On Mar 19, 2008, at 12:28 PM, Hari Kodungallur wrote:
>
> On Wed, Mar 19, 2008 at 11:59 AM, Greg Willits  
> <li...@gregwillits.ws> wrote:
> OS X 10.5.2, svn 1.4.4, OpenSSH_4.5p1, OpenSSL 0.9.7l
>
> It's either trouble with my ssh setup or my understanding of how it  
> should work...
>
>
> First, I suggest that you make sure you can ssh into the server  
> machine without password. Then try to bring svn into the picture.  
> It will be easier to debug that way.

I couldn't, so I tore everything out, went back and read some stuff,  
and started some new experiments.

After much step-by-step, one-variable-at-a-time troubleshooting I  
discovered the entire problem came down to the file names of the keys.

I had read something that said you can have as many keys as you want,  
so if you needed keys uniuqe to specific purposes, it was OK to name  
them different things. I took that advice and was creating svnkey/ 
svnkey.pub for a variety of seemingly good reasons at the time.

Well, it would appear that OS X (either the 10.4 client or the 10.5  
server I am using or both) doesn't care for that idea. Maybe the  
above was simply bad advice, I don't know. The files MUST be named  
using the SSH defaults, or the whole ssh key thing simply doesn't work.

Once I got that figured out, everything popped into place.

And yes, you're right, I also must have svn@ in front of the server  
name, or I get the password prompt. However, the tunnelling does  
properly attribute changes to the real user and not the svn user.

So, I'm completely set up the way I wanted to be (svn+ssh, don't have  
to create real users on the server, changes are attributed to the  
actual developers). Whew!!

THANKS.

-- gw

Re: ssh part of svn+ssh not working?

[Hari Kodungallur <hk...@gmail.com>]

On Wed, Mar 19, 2008 at 11:59 AM, Greg Willits <li...@gregwillits.ws> wrote:

> OS X 10.5.2, svn 1.4.4, OpenSSH_4.5p1, OpenSSL 0.9.7l
>
> It's either trouble with my ssh setup or my understanding of how it should
> work...
>
> After reading oodles and oodles of blogs and articles (mostly about Linux
> of course), I get the impression, that I should be able to use ssh-keygen
> and authorized_keys to create a collection of "users" that are not "real" OS
> users which should still be able to log into the system.
>
> Symptom:
>
> when I attempt to use ssh via keys, I still get prompted to enter a
> password (which doesn't exist). From everything I read, I am expecting this
> to not happen.
>
> Here's what I have done:
>
> -- used ssh-keygen to create svnkey and svnkey.pub files. (For now, no
> passphrases.)
>
> -- placed the svnkey file in the client computer's user home /.ssh folder
> (/Users/DUDE/.ssh/svnkey)
>
> -- made sure owner = the user, and perms is rw for the owner only
>
> -- on the server, there's a user named "svn" with a home folder (where all
> the repos go) in which I created the .ssh/authorized_keys file. I used cat
> to append the svnkey.pub and then modify that entry with a command=""
> component according to all the svn docs.
>
> -- again, perms are set so the file is owned by the svn user, and rw for
> that owner only.
>
> Now, what I believe everything I have read tells me is that I should be
> able to use the svn commands like this:
>
>    svn list svn+ssh://{server.domain}/path/to/repo
>
> and I should not be prompted for a password because the SSH keys will be
> used.
>
> However, I always get prompted for a password. So either I'm
> misunderstanding, missing some steps, or still have some perms wrong
> somewhere.
>
> Any suggestions?
>


I have not set up a repository using the tunnel tricks. So these suggestions
are only my guesses.

First, I suggest that you make sure you can ssh into the server machine
without password. Then try to bring svn into the picture. It will be easier
to debug that way.

Secondly, I am not sure whether you are using svn@server in the URL.
Basically you are setting it up in such a way that 'greg@client-machine' is
connecting to 'svn@server-machine'. Greg's public key is
server-machine:/home/svn/.ssh/authorized_keys and his private key is in
client-machine:/greghome/.ssh/. When Greg connects to the server machine, he
should always use svn@ in the URL.
To come back to my first suggestion, remove the command="" (temporarily) in
the authorized keys and try to ssh using "ssh svn@server-name" and see if
you can do password-less access. If not, then there is a problem with the
ssh setup and that needs to be fixed first.

Third, IIRC, I believe the .ssh directory itself needs to be "rwx" (not just
"r-x") or the user.

Please let us know if this works.

Thanks,
-Hari