Svnserve-based servers

Introduction

In some cases, Apache cannot be used as your server. The Subversion includes svnserve, a lightweight independent server, and a custom protocol over a common TCP/IP connection.

In most cases svnserve is easier to setup and runs faster than the Apache based server. And now that SASL support is supported ded it is easy to secure as well.

Install svnserve

1. Get the latest version of subversion fromHttp://subversion.tigris.org/servlets/ProjectDocumentList? Folderid = 91. Alternatively get a pre-packaged installer from collabnetHttp://www.collab.net/downloads/subversion. This installer will setup svnserve as a Windows service, and also should des some of the tools you need if you are going to use SASL for security.

2. If you have installed subversion and svnserve is running, you need to stop it before continuing.

3. Run the Subversion Installer. If you run the installer on your server (recommended) You can skip step 4.

4. Open the resource manager and enter the Subversion installation directory (usuallyC:\Program Files\Subversion)binDirectory, find the filesvnserve.exe,intl3_svn.dll,libapr.dll,libapriconv.dll,libapriutil.dll,libdb*.dll,libeay32.dllAndssleay32.dll, Copy these files, or allbinFiles in the directory to your server directory, suchc:\svnserve.

Run svnserve

Now that svnserve has been installed, you need to run it on your server. The simplest way is to enter in the DOS window or windows shortcut:

svnserve.exe --daemon

Svnserve will wait for the request on port 3690, and the -- daemon option tells svnserve to run in daemon mode, so that it will not exit before manual termination.

If you have not created a version library, follow the Apache server setting command "configuration" section below.

To verify that svnserve works properly, use the tortoisesvn → version library browser to view the version library.

Assume that your version library is located inc:\repos\TestRepoYour server is calledlocalhost, Enter:

svn://localhost/repos/TestRepo

When prompted by the version library browser.

You can also use the -- root option to set the root location to restrict access to the server directory, so as to increase security and save time for inputting the svnserve URL:

svnserve.exe --daemon --root drive:\path\to\repository\root

For example, in the previous test, the current run command of svnserve is:

svnserve.exe --daemon --root c:\repos

In tortoisesvn, the browser URL of our version library is shortened:

svn://localhost/TestRepo

Note that the -- root option is also required when svnserve and version library are located in different partitions or drive letters.

Svnserve can provide any number of version library services. You just need to put these version libraries under the root directory you just defined, and then access them using the URL relative to the root.

Warning

Do not create and access the Berkeley DB version library on the network share, itNoIt exists in a remote file system, even if it is mapped to the drive letter sharing. If you want to share Berkeley dB on the Internet, the results are unpredictable-you may immediately see a strange error, or you may find that the database has been damaged a few months later.

Run svnserve as a service

Using common users to run svnserve directly is usually not the best method. It means that your server must have a user login and remember to restart the server and then restart svnserve. The best way is to run svnserve as a Windows service. From subversion 1.4, svnserve can be installed as a Windows service.

To install svnserve as a Native Windows Service, execute the following command all on one line to create a service which is automatically started when Windows starts.

sc create svnserve binpath= "c:\svnserve\svnserve.exe --service     --root c:\repos" displayname= "Subversion" depend= tcpip     start= auto

If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:

sc create svnserve binpath= "    \"C:\Program Files\Subversion\bin\svnserve.exe\"    --service --root c:\repos" displayname= "Subversion"     depend= tcpip start= auto

You can also add a description after creating the service. This will show up in the Windows Services Manager.

sc description svnserve "Subversion server (svnserve)"

Note:scThe command line is special. Inkey= valueCenter, key and=There must be no space between them, but there must be a space before the value.

Prompt

Microsoft recommends that the service program run with a local service or network service account. For more information, seeThe services and service accounts Security Planning Guide. To create a service using a local service account, you need to append the following lines in the preceding example.

obj= "NT AUTHORITY\LocalService"

Note that you need to grant appropriate permissions to some directories of the local service account, including the subversion, your version library, and all applications used by hook scripts. The built-in group name of this account is "local service ".

After the service is installed, you need to start it in the Service Manager (this time only; when the server is restarted, it will automatically start ).

For more information, seeWindows Service Support for svnserve.

If you have usedSvnServiceIf you want to use the built-in service, you need to delete it from the Service (remember to stop the service first !). Use simple commands

svnservice -remove

To delete the service.

Basic Authentication with svnserve

The default svnserve setup provides anonymous read-only access. This means that you can usesvn://URL to checkout and update, or use the repo-browser in tortoisesvn to view the repository, but you won't be able to commit any changes.

To enable write access to the version library, you can editconf/svnserve.confFile, which controls the configurations of the svnserve daemon and provides useful documentation.

To enable Anonymous write access, you only need to set it easily:

[general]anon-access = write

However, you don't know who modified the version library becausesvn:authorThe attribute is empty, and you cannot control who will modify the version library. This is a very dangerous setting.

One way to solve this problem is to create a password database:

[general]anon-access = noneauth-access = writepassword-db = userfile

HereuserfileAndsvnserve.confThe file is in the same directory. This file can also exist in other places of the file system (this is especially useful when multiple version libraries use the same access permissions). You can use an absolute path orconf.userfileThe structure is as follows:

[general]anon-access = noneauth-access = writepassword-db = userfile

In this example, all unauthenticated users (anonymous) are denied access.userfileUser read and write permissions in.

Prompt

If you use the same password to maintain multiple versions of the database, using one authentication domain will make your work easier. Because tortoisesvn can cache your creden, you only need to enter it once, for more information, refer to the Subversion ManualCreate user files and DomainsAndClient credential Cache.

Use SASL for enhanced security

What is SASL?

The Cyrus simple authentication and security layer is open source software written by Carnegie Mellon University. it adds generic authentication and encryption capabilities to any network protocol, and as of subversion 1.5 and later, both the svnserve server and tortoisesvn client know how to make use of this library.

For a more complete discussion of the options available, you shoshould look at the Subversion book in the SectionUsing svnserve with SASL. If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad internet, read on.

SASL authentication

To activate specific SASL machisms on the server, you'll need to do three things. First, create[sasl]Section in your repository'ssvnserve.confFile, with this key-Value Pair:

use-sasl = true

Second, create a file calledsvn.confIn a convenient location-typically in the directory where subversion is installed.

Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library]And place two new string values inside it:SearchPathSet to the directory path containingsasl*.dllPlug-ins (normally in the Subversion install directory), andConfFileSet to the directory containingsvn.confFile. If you used the collabnet installer, these registry keys will already have been created for you.

Editsvn.confFile to contain the following:

pwcheck_method: auxpropauxprop_plugin: sasldbmech_list: DIGEST-MD5sasldb_path: C:\TortoiseSVN\sasldb

The last line shows the location of the Authentication database, which is a file calledsasldb. This cocould go anywhere, but a convenient choice is the repository parent path. Make sure that the svnserve service has read access to this file.

If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.

Now that everything is set up, all you need to do is create some users and passwords. To do this you needsaslpasswd2Program. If you used the collabnet installer, that program will be in the install directory. Use a command something like this:

saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username

The-fSwitch gives the database location,realmMust be the same as the value you defined in your repository'ssvnserve.confFile, and username is exactly what you need CT it to be. Note that the realm is not allowed to contain space characters.

You can list the usernames stored in the database usingsasldblistusers2Program.

SASL Encryption

To enable or disable different levels of encryption, you can set two values in your repository'ssvnserve.confFile:

[sasl]use-sasl = truemin-encryption = 128max-encryption = 256

Themin-encryptionAndmax-encryptionVariables control the level of encryption demanded by the server. to disable encryption completely, set both values to 0. to enable simple checksumming of data (I. E ., prevent tampering and guarantee data integrity without encryption), set both values to 1. if you wish to allow (but not require) encryption, set the minimum value to 0, and the maximum value to some bit-length. to require encryption unconditionally, set both values to numbers greater than 1. in our previous example, we require clients to do at least 128-bit encryption, but no more than 256-bit encryption.

Use SVN + SSH Authentication

Another way to authenticate users with a svnserve based server is to use a Secure Shell (SSH) to tunnel requests through. it is not as simple to set up as SASL, but it may be useful is some cases.

By using this method, svnserve will not be started as a daemon, but SSH will start svnserve for you and use SSH to authorize users to run it. Therefore, you need to have an SSH daemon on your server.

A basic method for setting up your server is given in Appendix G,Use SSH to make the server more secure. You can find other SSH topics within the FAQ by searching for "ssh ".

For more information about svnserve, seeUse Subversion for Version Management.

Svnserve path-based authorization

From subversion1.3, svnserve supportsmod_authz_svnYou must editconf/svnserve.confThe referenced authorization file.

[general]authz-db = authz

Here,authzIs the file you created to define access permissions, you can use a separate file for each version library, or use the same file for all version libraries, for details about the file format, refer to the "Path-based authorization" section.