用 SSH 使服务器更安全

Posted on Posted in 8.附录

附录 G. 用 SSH 使服务器更安全

目录

This section provides a step-by-step guide to setting up Subversion and TortoiseSVN to use the svn+ssh
 protocol. If you already use authenticated SSH connections to login to
 your server, then you are already there and you can find more detail
in  the Subversion book. If you are not using SSH but would like to do
so to  protect your Subversion installation, this guide gives a simple
method  which does not involve creating a separate SSH user account on
the  server for every subversion user.

In this implementation we
create  a single SSH user account for all subversion users, and use
different  authentication keys to differentiate between the real
Subversion users.

In  this appendix we assume that you already
have the subversion tools  installed, and that you have created a
repository as detailed elsewhere  in this manual. Note that you should not start svnserve as a service or daemon when used with SSH.

Much of the information here comes from a tutorial provided by Marc Logemann, which can be found at www.logemann.org Additional information on setting up a Windows server was provided by Thorsten Müller. Thanks guys!

配置 Linux 服务器

You
 need to have SSH enabled on the server, and here we assume that you
 will be using OpenSSH. On most distributions this will already be
 installed. To find out, type:

ps xa | grep sshd

and look for ssh jobs.

One point to note is that if you build Subversion from source and do not provide any argument to ./configure, Subversion creates a bin directory under /usr/local
 and places its binaries there. If you want to use tunneling mode with
 SSH, you have to be aware that the user logging in via SSH needs to
 execute the svnserve program and some other binaries. For this reason,
 either place /usr/local/bin into the PATH variable or create symbolic links of your binaries to the /usr/sbin directory, or to any other directory which is commonly in the PATH.

To check that everything is OK, login in as the target user with SSH and type:

which svnserve

This command should tell you if svnserve is reachable.

Create a new user which we will use to access the svn repository:

useradd -m svnuser

Be sure to give this user full access rights to the repository.