You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Justin Erenkrantz <je...@apache.org> on 2002/08/30 18:47:39 UTC
[PATCH] Add FAQ item regarding ssh forwarding
I'm not 100% sure we want to mention this, but if we do, here's
a FAQ entry. -- justin
* www/project_faq.html: Add question/answer about paranoid admins.
Index: www/project_faq.html
===================================================================
--- www/project_faq.html
+++ www/project_faq.html Fri Aug 30 11:45:40 2002
@@ -33,6 +33,8 @@
<li><a href="#repository">How do I create a repository? How do I
import data into it?</a></li>
<li><a href="#proxy">What if I'm behind a proxy?</a></li>
+<li><a href="#paranoid">My admins don't want me to have a HTTP server for
+ Subversion. What can I do if I still want remote usage?</a></li>
<p>
<strong>Troubleshooting:</strong>
</p>
@@ -302,6 +304,73 @@
</pre>
<p>and maybe the proxy will let you through.</p>
+
+<![CDATA[=========================================================]]>
+
+<h3><a name="paranoid"/>My admins don't want me to have a HTTP server for
+ Subversion. What can I do if I still want remote usage?</h3>
+
+<p>If you previously used CVS, you may have used SSH to login to the
+CVS server. The preferred solution would be to use ra_dav combined
+with an Apache HTTP server configured with mod_ssl and appropriate
+authentication support. This should provide enough security for most
+users. However, we realize that there are places that do not allow
+adding servers of any kind with external connectivity.</p>
+
+<p>There has been work on a ra_pipe implementation that would work
+similarly to the CVS_RSH mechanism, but it is not currently complete.
+If you wish to contribute to its development, you are more than
+welcome to do so!</p>
+
+<p>However, another solution that can be used instead is to leverage
+SSH port forwarding to connect to the protected server via ra_dav.
+You would connect via SSH to a machine behind your firewall that can
+access your Subversion server. Note that this SSH server does
+<b>not</b> have to be the same as where Subversion is installed. It
+can be, but it doesn't have to be.</p>
+
+<p>Then, you create a local port forward that connects to the HTTP
+server that houses your Subversion repository. You would then
+'connect' to the Subversion repository via this local port. Then,
+the request will be sent 'tunneled' via SSH server to your Subversion
+server.</p>
+
+<p>An example: a Subversion ra_dav setup is behind your company firewall
+at 10.1.1.50 (call it svn-server.example.com). Your company allows SSH
+access via publicly accessible ssh-server.example.com. Internally, you
+can access the Subversion repository via
+http://svn-server.example.com/repos/ours.</p>
+
+<p><i>Example</i>: client connecting to ssh-server with port-forwarding
+and checking out via the port forward</p>
+
+<pre>
+% ssh -L 8888:svn-server.example.com:80 me@ssh-server.example.com
+% svn checkout http://localhost:8888/repos/ours
+</pre>
+
+<p>Note that your svn-server.example.com could also have its httpd
+instance running on an unpriviliged port by a non-trusted user. This
+will allow your Subversion server not to require root access.</p>
+
+<!-- Can you use svn switch to switch your WC between your internal and
+ external Subversion server? I think so. -->
+
+<p>Joe Orton notes</p>
+<pre>
+The server is sensitive to the hostname used in the Destination header
+in MOVE and COPY requests, so you have to be a little careful here - a
+"ServerAlias localhost" may be required to get this working properly.
+</pre>
+
+<p>Some links on SSH port forwarding</p>
+<ul>
+<li><a href="http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html"
+>http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html</a></li>
+<li><a href="http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/"
+>http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/</a></li>
+<li><a href="http://www.zip.com.au/~roca/ttssh.html">TTSSH: A Win32 SSH client capable of port forwarding</a></li>
+</ul>
<![CDATA[=========================================================]]>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Add FAQ item regarding ssh forwarding
Posted by Karl Fogel <kf...@newton.ch.collab.net>.
Justin Erenkrantz <je...@apache.org> writes:
> I'm not 100% sure we want to mention this, but if we do, here's
> a FAQ entry. -- justin
It's come up before, so I think it's worth mentioning. +1 on
committing it.
-K
> * www/project_faq.html: Add question/answer about paranoid admins.
>
> Index: www/project_faq.html
> ===================================================================
> --- www/project_faq.html
> +++ www/project_faq.html Fri Aug 30 11:45:40 2002
> @@ -33,6 +33,8 @@
> <li><a href="#repository">How do I create a repository? How do I
> import data into it?</a></li>
> <li><a href="#proxy">What if I'm behind a proxy?</a></li>
> +<li><a href="#paranoid">My admins don't want me to have a HTTP server for
> + Subversion. What can I do if I still want remote usage?</a></li>
> <p>
> <strong>Troubleshooting:</strong>
> </p>
> @@ -302,6 +304,73 @@
> </pre>
>
> <p>and maybe the proxy will let you through.</p>
> +
> +<![CDATA[=========================================================]]>
> +
> +<h3><a name="paranoid"/>My admins don't want me to have a HTTP server for
> + Subversion. What can I do if I still want remote usage?</h3>
> +
> +<p>If you previously used CVS, you may have used SSH to login to the
> +CVS server. The preferred solution would be to use ra_dav combined
> +with an Apache HTTP server configured with mod_ssl and appropriate
> +authentication support. This should provide enough security for most
> +users. However, we realize that there are places that do not allow
> +adding servers of any kind with external connectivity.</p>
> +
> +<p>There has been work on a ra_pipe implementation that would work
> +similarly to the CVS_RSH mechanism, but it is not currently complete.
> +If you wish to contribute to its development, you are more than
> +welcome to do so!</p>
> +
> +<p>However, another solution that can be used instead is to leverage
> +SSH port forwarding to connect to the protected server via ra_dav.
> +You would connect via SSH to a machine behind your firewall that can
> +access your Subversion server. Note that this SSH server does
> +<b>not</b> have to be the same as where Subversion is installed. It
> +can be, but it doesn't have to be.</p>
> +
> +<p>Then, you create a local port forward that connects to the HTTP
> +server that houses your Subversion repository. You would then
> +'connect' to the Subversion repository via this local port. Then,
> +the request will be sent 'tunneled' via SSH server to your Subversion
> +server.</p>
> +
> +<p>An example: a Subversion ra_dav setup is behind your company firewall
> +at 10.1.1.50 (call it svn-server.example.com). Your company allows SSH
> +access via publicly accessible ssh-server.example.com. Internally, you
> +can access the Subversion repository via
> +http://svn-server.example.com/repos/ours.</p>
> +
> +<p><i>Example</i>: client connecting to ssh-server with port-forwarding
> +and checking out via the port forward</p>
> +
> +<pre>
> +% ssh -L 8888:svn-server.example.com:80 me@ssh-server.example.com
> +% svn checkout http://localhost:8888/repos/ours
> +</pre>
> +
> +<p>Note that your svn-server.example.com could also have its httpd
> +instance running on an unpriviliged port by a non-trusted user. This
> +will allow your Subversion server not to require root access.</p>
> +
> +<!-- Can you use svn switch to switch your WC between your internal and
> + external Subversion server? I think so. -->
> +
> +<p>Joe Orton notes</p>
> +<pre>
> +The server is sensitive to the hostname used in the Destination header
> +in MOVE and COPY requests, so you have to be a little careful here - a
> +"ServerAlias localhost" may be required to get this working properly.
> +</pre>
> +
> +<p>Some links on SSH port forwarding</p>
> +<ul>
> +<li><a href="http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html"
> +>http://www.onlamp.com/pub/a/onlamp/excerpt/ssh_11/index3.html</a></li>
> +<li><a href="http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/"
> +>http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/</a></li>
> +<li><a href="http://www.zip.com.au/~roca/ttssh.html">TTSSH: A Win32 SSH client capable of port forwarding</a></li>
> +</ul>
>
> <![CDATA[=========================================================]]>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org