Introduction
In some cases, Apache cannot be used as your server. The Subversion includes svnserve, a lightweight independent server, and a custom protocol over a common TCP/IP connection.
In most cases svnserve is easier to setup and runs faster than the Apache based server. And now that SASL support is supported ded it is easy to secure as well.
Install svnserve
Get the latest version of subversion fromHttp://subversion.tigris.org/servlets/ProjectDocumentList? Folderid = 91. Alternatively get a pre-packaged installer from collabnetHttp://www.collab.net/downloads/subversion. This installer will setup svnserve as a Windows service, and also should des some of the tools you need if you are going to use SASL for security.
If you have installed subversion and svnserve is running, you need to stop it before continuing.
Run the Subversion Installer. If you run the installer on your server (recommended) You can skip step 4.
Open the resource manager and enter the Subversion installation directory (usuallyC:\Program Files\Subversion
)bin
Directory, find the filesvnserve.exe
,intl3_svn.dll
,libapr.dll
,libapriconv.dll
,libapriutil.dll
,libdb*.dll
,libeay32.dll
Andssleay32.dll
, Copy these files, or allbin
Files in the directory to your server directory, suchc:\svnserve
.
Run svnserve
Now that svnserve has been installed, you need to run it on your server. The simplest way is to enter in the DOS window or windows shortcut:
svnserve.exe --daemon
Svnserve will wait for the request on port 3690, and the -- daemon option tells svnserve to run in daemon mode, so that it will not exit before manual termination.
If you have not created a version library, follow the Apache server setting command "configuration" section below.
To verify that svnserve works properly, use the tortoisesvn → version library browser to view the version library.
Assume that your version library is located inc:\repos\TestRepo
Your server is calledlocalhost
, Enter:
svn://localhost/repos/TestRepo
When prompted by the version library browser.
You can also use the -- root option to set the root location to restrict access to the server directory, so as to increase security and save time for inputting the svnserve URL:
svnserve.exe --daemon --root drive:\path\to\repository\root
For example, in the previous test, the current run command of svnserve is:
svnserve.exe --daemon --root c:\repos
In tortoisesvn, the browser URL of our version library is shortened:
svn://localhost/TestRepo
Note that the -- root option is also required when svnserve and version library are located in different partitions or drive letters.
Svnserve can provide any number of version library services. You just need to put these version libraries under the root directory you just defined, and then access them using the URL relative to the root.
Warning
Do not create and access the Berkeley DB version library on the network share, itNoIt exists in a remote file system, even if it is mapped to the drive letter sharing. If you want to share Berkeley dB on the Internet, the results are unpredictable-you may immediately see a strange error, or you may find that the database has been damaged a few months later.
Run svnserve as a service
Using common users to run svnserve directly is usually not the best method. It means that your server must have a user login and remember to restart the server and then restart svnserve. The best way is to run svnserve as a Windows service. From subversion 1.4, svnserve can be installed as a Windows service.
To install svnserve as a Native Windows Service, execute the following command all on one line to create a service which is automatically started when Windows starts.
sc create svnserve binpath= "c:\svnserve\svnserve.exe --service --root c:\repos" displayname= "Subversion" depend= tcpip start= auto
If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:
sc create svnserve binpath= " \"C:\Program Files\Subversion\bin\svnserve.exe\" --service --root c:\repos" displayname= "Subversion" depend= tcpip start= auto
You can also add a description after creating the service. This will show up in the Windows Services Manager.
sc description svnserve "Subversion server (svnserve)"
Note:sc
The command line is special. Inkey= value
Center, key and=
There must be no space between them, but there must be a space before the value.
Prompt
Microsoft recommends that the service program run with a local service or network service account. For more information, seeThe services and service accounts Security Planning Guide. To create a service using a local service account, you need to append the following lines in the preceding example.
obj= "NT AUTHORITY\LocalService"
Note that you need to grant appropriate permissions to some directories of the local service account, including the subversion, your version library, and all applications used by hook scripts. The built-in group name of this account is "local service ".
After the service is installed, you need to start it in the Service Manager (this time only; when the server is restarted, it will automatically start ).
For more information, seeWindows Service Support for svnserve.
If you have usedSvnService
If you want to use the built-in service, you need to delete it from the Service (remember to stop the service first !). Use simple commands
svnservice -remove
To delete the service.
Basic Authentication with svnserve
The default svnserve setup provides anonymous read-only access. This means that you can usesvn://
URL to checkout and update, or use the repo-browser in tortoisesvn to view the repository, but you won't be able to commit any changes.
To enable write access to the version library, you can editconf/svnserve.conf
File, which controls the configurations of the svnserve daemon and provides useful documentation.
To enable Anonymous write access, you only need to set it easily:
[general]anon-access = write
However, you don't know who modified the version library becausesvn:author
The attribute is empty, and you cannot control who will modify the version library. This is a very dangerous setting.
One way to solve this problem is to create a password database:
[general]anon-access = noneauth-access = writepassword-db = userfile
Hereuserfile
Andsvnserve.conf
The file is in the same directory. This file can also exist in other places of the file system (this is especially useful when multiple version libraries use the same access permissions). You can use an absolute path orconf
.userfile
The structure is as follows:
[general]anon-access = noneauth-access = writepassword-db = userfile
In this example, all unauthenticated users (anonymous) are denied access.userfile
User read and write permissions in.
Prompt
If you use the same password to maintain multiple versions of the database, using one authentication domain will make your work easier. Because tortoisesvn can cache your creden, you only need to enter it once, for more information, refer to the Subversion ManualCreate user files and DomainsAndClient credential Cache.
Use SASL for enhanced security
What is SASL?
The Cyrus simple authentication and security layer is open source software written by Carnegie Mellon University. it adds generic authentication and encryption capabilities to any network protocol, and as of subversion 1.5 and later, both the svnserve server and tortoisesvn client know how to make use of this library.
For a more complete discussion of the options available, you shoshould look at the Subversion book in the SectionUsing svnserve with SASL. If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad internet, read on.
SASL authentication
To activate specific SASL machisms on the server, you'll need to do three things. First, create[sasl]
Section in your repository'ssvnserve.conf
File, with this key-Value Pair:
use-sasl = true
Second, create a file calledsvn.conf
In a convenient location-typically in the directory where subversion is installed.
Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library]
And place two new string values inside it:SearchPath
Set to the directory path containingsasl*.dll
Plug-ins (normally in the Subversion install directory), andConfFile
Set to the directory containingsvn.conf
File. If you used the collabnet installer, these registry keys will already have been created for you.
Editsvn.conf
File to contain the following:
pwcheck_method: auxpropauxprop_plugin: sasldbmech_list: DIGEST-MD5sasldb_path: C:\TortoiseSVN\sasldb
The last line shows the location of the Authentication database, which is a file calledsasldb
. This cocould go anywhere, but a convenient choice is the repository parent path. Make sure that the svnserve service has read access to this file.
If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.
Now that everything is set up, all you need to do is create some users and passwords. To do this you needsaslpasswd2
Program. If you used the collabnet installer, that program will be in the install directory. Use a command something like this:
saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username
The-f
Switch gives the database location,realm
Must be the same as the value you defined in your repository'ssvnserve.conf
File, and username is exactly what you need CT it to be. Note that the realm is not allowed to contain space characters.
You can list the usernames stored in the database usingsasldblistusers2
Program.
SASL Encryption
To enable or disable different levels of encryption, you can set two values in your repository'ssvnserve.conf
File:
[sasl]use-sasl = truemin-encryption = 128max-encryption = 256
Themin-encryption
Andmax-encryption
Variables control the level of encryption demanded by the server. to disable encryption completely, set both values to 0. to enable simple checksumming of data (I. E ., prevent tampering and guarantee data integrity without encryption), set both values to 1. if you wish to allow (but not require) encryption, set the minimum value to 0, and the maximum value to some bit-length. to require encryption unconditionally, set both values to numbers greater than 1. in our previous example, we require clients to do at least 128-bit encryption, but no more than 256-bit encryption.
Use SVN + SSH Authentication
Another way to authenticate users with a svnserve based server is to use a Secure Shell (SSH) to tunnel requests through. it is not as simple to set up as SASL, but it may be useful is some cases.
By using this method, svnserve will not be started as a daemon, but SSH will start svnserve for you and use SSH to authorize users to run it. Therefore, you need to have an SSH daemon on your server.
A basic method for setting up your server is given in Appendix G,Use SSH to make the server more secure. You can find other SSH topics within the FAQ by searching for "ssh ".
For more information about svnserve, seeUse Subversion for Version Management.
Svnserve path-based authorization
From subversion1.3, svnserve supportsmod_authz_svn
You must editconf/svnserve.conf
The referenced authorization file.
[general]authz-db = authz
Here,authz
Is the file you created to define access permissions, you can use a separate file for each version library, or use the same file for all version libraries, for details about the file format, refer to the "Path-based authorization" section.