Friday, February 12, 2010

SVN+SSH With TortoiseSVN


First, a quick introduction to what's going on, if you haven't used SSH with keys before. The idea of using keys is to avoid using passwords - instead, your public key is on the server and when you connect, you identify yourself with your private key (which, as the name suggests, should only be available to you). You can read details of how it works and what it involves over at http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-3.html.

A. Get your public and private keys
  1. Login to the machine to which you’ll be connecting (the host where the SVN server is running).
  2. Generate a key secured by a 1024-bit passphrase and the name mykey using the command ssh-keygen -b 1024 -t dsa -N passphrase -f mykey (replace passphrase with an actual passphrase of your choice – it needn’t be the same as your account password; in fact, it might make sense for it not to be).
  3. The files mykey and mykey.pub will be created – the private and public keys respectively.
  4. In your home directory, create a new directory named .ssh – and use the command chmod 700 .ssh to set the appropriate permissions on that folder.
  5. Copy the public key to this folder and rename it to authorized_keys (cp mykey.pub /home-directory/.ssh/authorized_keys) and then set the appropriate permissions (chmod 600 authorized_keys). In older implementations, authorized_keys2 was the name used for the key.
  6. Copy the private key (mykey) to the machine where you’ll make the connection (the client where TortoiseSVN will be used)
B. Test the connection with PuTTY, PuTTYgen and Pageant
  1. The problem here is that the key generated on the host isn’t directly usable by PuTTY; it must be converted using PuTTYgen. Use Conversions > Import key to import your private key (mykey) and then Save private key as mykey.ppk (or whatever you prefer).
  2. In PuTTY, create a new session with mykey.ppk as the private key under SSH > Auth > Private key file for authentication
  3. Try to connect – if you’ve not specified the username as part of the the host name (in the form username@host), you’ll be prompted for the username but not for the password. You should see something like
    Using username "username".           
    Authenticating with public key "imported-openssh-key" from agent            
    Last login: Fri Feb 12 17:21:41 2010 from c-99-250-91-125.hmd2.ca.comcast.net
  4. Once you’ve verified that your key works, you can optionally begin using Pageant instead to save your keys (perhaps for multiple user names) instead of specifying a key within the session details – choose to Add Key, select the private key and specify the passphrase for it – they key should be added to your list.
  5. Try to connect via PuTTY, except this time, remove the private key from SSH > Auth > Private key file for authentication – PuTTY should then use the key details from Pageant.
 To avoid having TortoiseSVN (or PuTTY) prompt you for the username when connecting, you can use the form username@host/repo-path to attempt the connection with the login username.

C. Connecting with TortoiseSVN
You can specify different ways to tell TortoiseSVN how to connect to your repository – by giving the name of the PuTTY connection you created above or by using Pageant; I used Pageant
  1. Make sure you’ve got Pageant running and have imported the key as described above.
  2. The repository URL should be of the form svn+ssh://hostname/repo-path. For a PuTTY connection, the URL svn+ssh://PuTTY-Connection-Name/repo-path is supposed to be used.
  3. This should be enough to connect to the SVN server.

 If you keep getting a dialog titled TortoisePlink that asks you to 'login as', then you're probably seeing the bug described at
http://old.nabble.com/Bug-with-TortoisePlink-td18812277.html. The workaround that the poster described is to clear the value for the registry key HKEY_CURRENT_USER > Software > SimonTatham > Putty > Sessions > Default Settings > HostName.

Apparently if there is a hostname specified in the default connection in PuTTY, this problem manifests itself. Even if you don't see any value in the PuTTY interface, you should clear the key in the registry.

 As always, be warned that editing the registry is fraught with danger, so backup and think twice before changing anything.

 If you're not using keys, you'll probably see the dialogs asking for username and password pop-up over and over - with the repository I'm connecting to, I have to authenticate thrice when I first try to browse the repository and subsequently, once more for every new directory I select. So it seems like a new connection is setup for every request but I'm not sure.
 

 UPDATE [1630 18 Feb 2010]: I'd mixed up the permissions for the .ssh folder and the authorized_keys file. Also added some more information and a fix for the TortoisePlink 'login as' dialog.

7 comments:

alexxio said...

what if i use it with a non standard port instead of 22?

aakashi said...

this is nice tutorial post.i found it so useful.

Anonymous said...

You can use the Tortoise plink.exe facility to connect to the host by setting the Windows environment variable from the "Advanced" dialog setting "SVN_SSH" to
"your tortoise bin\plink.exe" -i your.ppk

Anonymous said...

This solution did not work for me but I was able to find another one. Open regedit and go to 'HKEY_CURRENT_USER>Software>Simon Tatham>PuTTY>Sessions'. On my Windows 7 machine, there is no 'Default Settings' visible at this registry location. However, if you click on the SVN server under 'Sessions', and edit the 'UserName' attribute to add your username, then TortoisePlink will stop prompting you every time you want to do an SVN checkout, checkin, etc. This worked for me.

Frode Nilsen said...

I think security experts would cringe when reading this tutorial. You should never copy the private key out of the host system.

The correct procedure is to generate a set of private-public-key-pair on the client machine instead, using PuttyGen. Import the client key to Pageant and configure the Putty connection to use it. Then copy the public key of that pair to the host system's authorized_keys file, and you're done.

Anonymous said...

This post and the comments were a huge help to me in setting up SVN+SSH. Definitely a great page to bookmark. Thanks!

Anonymous said...

thanks... went many other places and then found this, magic bullet.