Can I authenticate to Subversion using ssh?

[David Aldrich <da...@gmail.com>]

Hi

We run a Jenkins job that lists the branches and tags of a certain svn
repository by running 'svn ls'.

The command, of course, requires svn authentication and so a password must
be provided.  Jenkins has a svn plugin which allows it to check out from
svn repositories, using stored credentials, before running a job.  As far
as I know, the job itself can't access those credentials. The job script
could provide the password but that is very insecure. I have gotten around
this in the past by using gnome keyring, but I find that very hard to
install on a headless server, so I have a problem of how to provide the
password.

So my question is: is it possible to authenticate to svn, i.e. run svn
commands, using ssh key-based authentication instead of using a password?

If so, can you point me in the right direction please?

Best regards
David

Re: Can I authenticate to Subversion using ssh?

[David Aldrich <da...@gmail.com>]

Hi Mark

Thanks for your reply - that's very helpful.

Best regards
David

On Tue, Jan 19, 2021 at 5:45 PM Mark Phippard <ma...@gmail.com> wrote:

> On Tue, Jan 19, 2021 at 12:39 PM David Aldrich <
> david.aldrich.ntml@gmail.com> wrote:
>
>> Hi Daniel
>>
>> Thanks for your reply. I've had a look at the Subversion book and done
>> some Googling. It isn't easy to know how to configure svn on the server for
>> ssh.
>>
>> We use the Collabnet Edge distribution of Subversion, which we believe only
>> supports http/https - not svnserve.
>>
>
>
> Correct.  SVN Edge does not support svnserve or SSH.  That said, I
> believe the svnserve binary is included.  So if you want to use it, then it
> would be up to you to configure everything for it.  Might be easier to just
> look for another way to inject a secret into your script.  I think, as an
> example, there are Jenkins plugins that can take a secure Jenkins
> credential and set them as environment variable for the job. So your script
> could get the password from an environment variable.
>
> As with everything Jenkins there is probably more than one way to do this,
> but here is one I have used:
>
> https://plugins.jenkins.io/credentials-binding/
>
> Mark
>

Re: Can I authenticate to Subversion using ssh?

[Mark Phippard <ma...@gmail.com>]

On Tue, Jan 19, 2021 at 12:39 PM David Aldrich <da...@gmail.com>
wrote:

> Hi Daniel
>
> Thanks for your reply. I've had a look at the Subversion book and done
> some Googling. It isn't easy to know how to configure svn on the server for
> ssh.
>
> We use the Collabnet Edge distribution of Subversion, which we believe only
> supports http/https - not svnserve.
>


Correct.  SVN Edge does not support svnserve or SSH.  That said, I
believe the svnserve binary is included.  So if you want to use it, then it
would be up to you to configure everything for it.  Might be easier to just
look for another way to inject a secret into your script.  I think, as an
example, there are Jenkins plugins that can take a secure Jenkins
credential and set them as environment variable for the job. So your script
could get the password from an environment variable.

As with everything Jenkins there is probably more than one way to do this,
but here is one I have used:

https://plugins.jenkins.io/credentials-binding/

Mark

Re: Can I authenticate to Subversion using ssh?

[David Aldrich <da...@gmail.com>]

Hi Daniel

Thanks for your reply. I've had a look at the Subversion book and done some
Googling. It isn't easy to know how to configure svn on the server for
ssh.

We use the Collabnet Edge distribution of Subversion, which we believe only
supports http/https - not svnserve.

Do you (or anyone else reading this) know whether it would be possible to
install svnserve on the same server as used for Edge, (or even on different
servers with replication of repos)?

We use 'svn_access_file' for access permissions.  Is svnserve compatible
with svn_access_file?

With best regards
David

On Tue, Jan 19, 2021 at 10:03 AM Daniel Sahlberg <
daniel.l.sahlberg@gmail.com> wrote:

> Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich <
> david.aldrich.ntml@gmail.com>:
>
>> Hi
>>
>> We run a Jenkins job that lists the branches and tags of a certain svn
>> repository by running 'svn ls'.
>>
>> The command, of course, requires svn authentication and so a password
>> must be provided.  Jenkins has a svn plugin which allows it to check out
>> from svn repositories, using stored credentials, before running a job.  As
>> far as I know, the job itself can't access those credentials. The job
>> script could provide the password but that is very insecure. I have gotten
>> around this in the past by using gnome keyring, but I find that very hard
>> to install on a headless server, so I have a problem of how to provide the
>> password.
>>
>> So my question is: is it possible to authenticate to svn, i.e. run svn
>> commands, using ssh key-based authentication instead of using a password?
>>
>> If so, can you point me in the right direction please?
>>
>
> This is possible to tunnel the connection through SSH in which case you
> only need to authenticate the SSH connection (for example using keys).
> However it require some support/configuration on the server side so it
> depends on the server.
>
> The process is fairly well described in the Subversion book:
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html
>
> Kind regards,
> Daniel Sahlberg
>
>>

Re: Can I authenticate to Subversion using ssh?

[Nico Kadel-Garcia <nk...@gmail.com>]

On Tue, Jan 19, 2021 at 5:03 AM Daniel Sahlberg
<da...@gmail.com> wrote:
>
> Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich <da...@gmail.com>:
>>
>> Hi
>>
>> We run a Jenkins job that lists the branches and tags of a certain svn repository by running 'svn ls'.
>>
>> The command, of course, requires svn authentication and so a password must be provided.  Jenkins has a svn plugin which allows it to check out from svn repositories, using stored credentials, before running a job.  As far as I know, the job itself can't access those credentials. The job script could provide the password but that is very insecure. I have gotten around this in the past by using gnome keyring, but I find that very hard to install on a headless server, so I have a problem of how to provide the password.
>>
>> So my question is: is it possible to authenticate to svn, i.e. run svn commands, using ssh key-based authentication instead of using a password?
>>
>> If so, can you point me in the right direction please?
>
>
> This is possible to tunnel the connection through SSH in which case you only need to authenticate the SSH connection (for example using keys). However it require some support/configuration on the server side so it depends on the server.
>
> The process is fairly well described in the Subversion book: http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html

It does require some thought. It can be noticeably easier to support
than httpd and mod_dav based access, especially when a webserver is
already in place and doing a lot of production critical work.

Re: Can I authenticate to Subversion using ssh?

[Daniel Sahlberg <da...@gmail.com>]

Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich <
david.aldrich.ntml@gmail.com>:

> Hi
>
> We run a Jenkins job that lists the branches and tags of a certain svn
> repository by running 'svn ls'.
>
> The command, of course, requires svn authentication and so a password must
> be provided.  Jenkins has a svn plugin which allows it to check out from
> svn repositories, using stored credentials, before running a job.  As far
> as I know, the job itself can't access those credentials. The job script
> could provide the password but that is very insecure. I have gotten around
> this in the past by using gnome keyring, but I find that very hard to
> install on a headless server, so I have a problem of how to provide the
> password.
>
> So my question is: is it possible to authenticate to svn, i.e. run svn
> commands, using ssh key-based authentication instead of using a password?
>
> If so, can you point me in the right direction please?
>

This is possible to tunnel the connection through SSH in which case you
only need to authenticate the SSH connection (for example using keys).
However it require some support/configuration on the server side so it
depends on the server.

The process is fairly well described in the Subversion book:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html

Kind regards,
Daniel Sahlberg

>