# 基于 svnserve 的服务器

Posted on Posted in 4.配置服务器

## 基于 svnserve 的服务器

### 简介

In
most cases svnserve is easier to setup and runs faster than the Apache
based server. And now that SASL support is included it is easy to
secure  as well.

### 安装 svnserve

This installer will setup svnserve as a Windows service, and also
includes some of the tools you need if you are going to use SASL for
security.

2. 如果你已经安装了Subversion，svnserve已经运行，你需要在继续之前把它停下来。

3. Run the Subversion installer. If you run the installer on your server (recommended) you can skip step 4.

4. 打开资源管理器，进入Subversion的安装目录(通常是C:\Program Files\Subversion)的bin目录，找到文件svnserve.exeintl3_svn.dlllibapr.dlllibapriconv.dlllibapriutil.dlllibdb*.dlllibeay32.dllssleay32.dll，复制这些文件，或所有bin目录内的文件到你的服务器目录，例如c:\svnserve

### 运行 svnserve

svnserve.exe --daemon

svnserve将会在端口3690等待请求，–daemon选项告诉svnserve以守护进程方式运行，这样在手动终止之前不会退出。

svn://localhost/repos/TestRepo

svnserve.exe --daemon --root drive:\path\to\repository\root

svnserve.exe --daemon --root c:\repos

svn://localhost/TestRepo

Svnserve 可以提供任意数量的版本库服务。只要将这些版本库放到你刚才定义的根目录下即可，然后使用相对于根的URL访问它们。

### 警告

#### 以服务形式运行 svnserve

svnserve 通常不是最好的方法。它意味着你的服务器必须有一个用户登录，还要记着重新启动服务器后重新启动
svnserve。最好的方法是将  svnserve 作为 windows 服务运行。从 Subversion 1.4 开始，svnserve

To  install svnserve as a native windows
service, execute the following  command all on one line to create a
service which is automatically  started when windows starts.

sc create svnserve binpath= "c:\svnserve\svnserve.exe --service      --root c:\repos" displayname= "Subversion" depend= tcpip      start= auto

If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:

sc create svnserve binpath= "     \"C:\Program Files\Subversion\bin\svnserve.exe\"     --service --root c:\repos" displayname= "Subversion"      depend= tcpip start= auto

You can also add a description after creating the service. This will show up in the Windows Services Manager.

sc description svnserve "Subversion server (svnserve)"

### 提示

Microsoft 现在建议服务程序使用本地服务或网络服务帐户运行，参考 The Services and Service Accounts Security Planning Guide。以本地服务帐户创建服务，需要在上面的例子里追加下面几行。

obj= "NT AUTHORITY\LocalService"

svnservice -remove

### Basic Authentication with svnserve

The default svnserve setup provides anonymous read-only access. This means that you can use an svn://
URL to checkout and update, or use the repo-browser in TortoiseSVN to
view the repository, but you won't be able to commit any changes.

[general] anon-access = write

[general] anon-access = none auth-access = write password-db = userfile

[general] anon-access = none auth-access = write password-db = userfile

### 使用 SASL 以便更安全

#### 什么是 SASL？

The
Cyrus Simple Authentication and Security Layer is open source software
written by Carnegie Mellon University. It adds generic authentication
and encryption capabilities to any network protocol, and as of
Subversion 1.5 and later, both the svnserve server and TortoiseSVN
client know how to make use of this library.

For a more complete discussion of the options available, you should look at the Subversion book in the section Using svnserve with SASL.
If you are just looking for a simple way to set up secure
authentication and encryption on a Windows server, so that your
repository can be accessed safely over the big bad Internet, read on.

#### SASL 认证

To activate specific SASL mechanisms on the server, you'll need to do three things. First, create a [sasl] section in your repository's svnserve.conf file, with this key-value pair:

use-sasl = true

Second, create a file called svn.conf in a convenient location – typically in the directory where subversion is installed.

Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named [HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library] and place two new string values inside it: SearchPath set to the directory path containing the sasl*.dll plug-ins (normally in the Subversion install directory), and ConfFile set to the directory containing the svn.conf file. If you used the CollabNet installer, these registry keys will already have been created for you.

Edit the svn.conf file to contain the following:

pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: DIGEST-MD5 sasldb_path: C:\TortoiseSVN\sasldb

The last line shows the location of the authentication database, which is a file called sasldb.
This could go anywhere, but a convenient choice is the repository
this  file.

If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.

Now that everything is set up, all you need to do is create some users and passwords. To do this you need the saslpasswd2
program. If you used the CollabNet installer, that program will be in
the install directory. Use a command something like this:

saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username

The -f switch gives the database location, realm must be the same as the value you defined in your repository's svnserve.conf file, and username is exactly what you expect it to be. Note that the realm is not allowed to contain space characters.

You can list the usernames stored in the database using the sasldblistusers2 program.

#### SASL 加密

To enable or disable different levels of encryption, you can set two values in your repository's svnserve.conf file:

[sasl] use-sasl = true min-encryption = 128 max-encryption = 256

The min-encryption and max-encryption
variables control the level of encryption demanded by the server. To
disable encryption completely, set both values to 0. To enable simple
checksumming of data (i.e., prevent tampering and guarantee data
integrity without encryption), set both values to 1. If you wish to
allow (but not require) encryption, set the minimum value to 0, and the
maximum value to some bit-length. To require encryption
unconditionally,  set both values to numbers greater than 1. In our
previous example, we  require clients to do at least 128-bit encryption,
but no more than  256-bit encryption.

### 使用 svn+ssh 认证

Another
way to authenticate users with a svnserve based server is to use a
secure shell (SSH) to tunnel requests through. It is not as simple to
set up as SASL, but it may be useful is some cases.

A basic method for setting up your server is given in 附录 G, 用 SSH 使服务器更安全. You can find other SSH topics within the FAQ by searching for “SSH”.

### svnserve 基于路径的授权

[general] authz-db = authz