Knowledge Base

How to set up Subversion (SVN) access for multiple users

This article describes how to set up Subversion (SVN) access for multiple users on a single A2 Hosting shared account.

Setting up Subversion access for multiple users

Subversion clients use SSH to access repositories on A2 Hosting servers. However, a shared hosting account only has one SSH login, which can be a problem. You don't want to share your account password with other users just so they can access repositories.

The solution is to create and deploy a separate SSH key pair for each user. Because SSH key pairs do not require passwords, users can access your repositories using Subversion clients. Additionally, you can easily revoke access for a specific user without affecting other users.

The main steps for setting up multiple-user Subversion access are:

  • Each user creates an SSH key pair, and sends the public key to the account owner. The owner adds the public key to the account's ~/.ssh/authorized_keys file on the server.
  • Each user configures a Subversion client to use his or her private key to access your account's repositories.

The procedures to do this are explained in this article.

Setting up Subversion tunneling

If you and your users follow the procedures above, they have access not only to your Subversion repositories, but full shell access as well. This is a potential security risk, and probably not the configuration you want.

Additionally, all changes to the Subversion repositories (also known as “commits”) are made under the same account username. There is no way to tell which user made a particular change.

To resolve these issues, you can set up SVN tunneling. SSH tunneling allows you to restrict shell access on a per-key basis. Additionally, you can assign SVN usernames to track changes by individual users.

To set up SVN tunneling, follow these steps:

  1. Log in to your account using SSH.
  2. Open the ~/.ssh/authorized_keys file in a text editor.
  3. Locate the key that corresponds to the user for which you want to restrict access.
  4. Add the following text to the start of the key data line:
    command="svnserve -t --tunnel-user=SVNNAME -r /home/USERNAME/REPOSITORY",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
    • Replace SVNNAME with the SVN username that you want to assign to the user. All commits that this user makes will be associated with this username.
    • Replace USERNAME with your A2 Hosting account username, and replace REPOSITORY with the directory where the repository is located. The -r option sets the user's virtual root directory. Users are prevented from accessing any directories above the repository directory.

    For example, the following line shows how to set up SVN tunneling for a user named kelly (the key data has been shortened for readability):

    command="svnserve -t --tunnel-user=kelly -r /home/username/myrepo",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAsaAPi1T…bdrU29eQ [email protected]
  5. Save the changes to the ~/.ssh/authorized_keys file. Users can now access repositories without a full shell. For example, the following command demonstrates how a user can list a repository. Note that because the virtual root directory has been set, the user does not specify the full /home/USERNAME/ path to the repository:

    svn list svn+ssh:[email protected]/project