Can I authenticate to Subversion using ssh?
Hi We run a Jenkins job that lists the branches and tags of a certain svn repository by running 'svn ls'. The command, of course, requires svn authentication and so a password must be provided. Jenkins has a svn plugin which allows it to check out from svn repositories, using stored credentials, before running a job. As far as I know, the job itself can't access those credentials. The job script could provide the password but that is very insecure. I have gotten around this in the past by using gnome keyring, but I find that very hard to install on a headless server, so I have a problem of how to provide the password. So my question is: is it possible to authenticate to svn, i.e. run svn commands, using ssh key-based authentication instead of using a password? If so, can you point me in the right direction please? Best regards David
Re: Can I authenticate to Subversion using ssh?
Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich < david.aldrich.n...@gmail.com>: > Hi > > We run a Jenkins job that lists the branches and tags of a certain svn > repository by running 'svn ls'. > > The command, of course, requires svn authentication and so a password must > be provided. Jenkins has a svn plugin which allows it to check out from > svn repositories, using stored credentials, before running a job. As far > as I know, the job itself can't access those credentials. The job script > could provide the password but that is very insecure. I have gotten around > this in the past by using gnome keyring, but I find that very hard to > install on a headless server, so I have a problem of how to provide the > password. > > So my question is: is it possible to authenticate to svn, i.e. run svn > commands, using ssh key-based authentication instead of using a password? > > If so, can you point me in the right direction please? > This is possible to tunnel the connection through SSH in which case you only need to authenticate the SSH connection (for example using keys). However it require some support/configuration on the server side so it depends on the server. The process is fairly well described in the Subversion book: http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html Kind regards, Daniel Sahlberg >
Re: Can I authenticate to Subversion using ssh?
Hi Daniel Thanks for your reply. I've had a look at the Subversion book and done some Googling. It isn't easy to know how to configure svn on the server for ssh. We use the Collabnet Edge distribution of Subversion, which we believe only supports http/https - not svnserve. Do you (or anyone else reading this) know whether it would be possible to install svnserve on the same server as used for Edge, (or even on different servers with replication of repos)? We use 'svn_access_file' for access permissions. Is svnserve compatible with svn_access_file? With best regards David On Tue, Jan 19, 2021 at 10:03 AM Daniel Sahlberg < daniel.l.sahlb...@gmail.com> wrote: > Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich < > david.aldrich.n...@gmail.com>: > >> Hi >> >> We run a Jenkins job that lists the branches and tags of a certain svn >> repository by running 'svn ls'. >> >> The command, of course, requires svn authentication and so a password >> must be provided. Jenkins has a svn plugin which allows it to check out >> from svn repositories, using stored credentials, before running a job. As >> far as I know, the job itself can't access those credentials. The job >> script could provide the password but that is very insecure. I have gotten >> around this in the past by using gnome keyring, but I find that very hard >> to install on a headless server, so I have a problem of how to provide the >> password. >> >> So my question is: is it possible to authenticate to svn, i.e. run svn >> commands, using ssh key-based authentication instead of using a password? >> >> If so, can you point me in the right direction please? >> > > This is possible to tunnel the connection through SSH in which case you > only need to authenticate the SSH connection (for example using keys). > However it require some support/configuration on the server side so it > depends on the server. > > The process is fairly well described in the Subversion book: > http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html > > Kind regards, > Daniel Sahlberg > >>
svn info tree conflicts bug using svn 1.10.6?
I appear to be getting incorrect results reported by "svn info --xml" for a file which has tree conflicts. I'm testing with svn 1.10.6 (and 1.9.12 which doesn't have this problem). The results from "svn info" for the conflicted file appear correct. However, "svn info --xml" reports the wrong information for "source-right" (it appears to repeat the information given for "source-left"?). Further details are given below. Is this a known issue? Is it fixed in the latest release? This is the script I've used to reproduce the problem: #!/bin/bash set -eu svn --version | head -1 TEST_DIR=$(mktemp -d) svnadmin create $TEST_DIR/test-repos REPOS_URL="file://$TEST_DIR/test-repos" svn mkdir -q -m "" $REPOS_URL/trunk svn copy -q -m "" $REPOS_URL/trunk@1 $REPOS_URL/branch1 svn copy -q -m "" $REPOS_URL/trunk@1 $REPOS_URL/branch2 svn checkout -q $REPOS_URL/branch1 $TEST_DIR/wc cd $TEST_DIR/wc echo "Test 1" > file svn add -q file svn commit -q -m "" svn switch -q $REPOS_URL/branch2 echo "Test 2" > file svn add -q file svn commit -q -m "" svn update -q svn merge --non-interactive $REPOS_URL/branch1 echo === svn info file svn info file echo === svn info --xml file svn info --xml file cd $OLDPWD rm -rf $TEST_DIR "svn info file" reports the following: ... Tree conflict: local file obstruction, incoming file add upon merge Source left: (none) ^/trunk/file@1 Source right: (file) ^/branch1/file@5 Using svn 1.10.6, "svn info --xml file" reports the following: ... You can see the information for "source-right" is not correct. It works fine with svn 1.9.12: I've tested with other sorts of tree conflict - they all show the same problem. Thanks, David
Re: Can I authenticate to Subversion using ssh?
On Tue, Jan 19, 2021 at 12:39 PM David Aldrich wrote: > Hi Daniel > > Thanks for your reply. I've had a look at the Subversion book and done > some Googling. It isn't easy to know how to configure svn on the server for > ssh. > > We use the Collabnet Edge distribution of Subversion, which we believe only > supports http/https - not svnserve. > Correct. SVN Edge does not support svnserve or SSH. That said, I believe the svnserve binary is included. So if you want to use it, then it would be up to you to configure everything for it. Might be easier to just look for another way to inject a secret into your script. I think, as an example, there are Jenkins plugins that can take a secure Jenkins credential and set them as environment variable for the job. So your script could get the password from an environment variable. As with everything Jenkins there is probably more than one way to do this, but here is one I have used: https://plugins.jenkins.io/credentials-binding/ Mark
Re: Can I authenticate to Subversion using ssh?
Hi Mark Thanks for your reply - that's very helpful. Best regards David On Tue, Jan 19, 2021 at 5:45 PM Mark Phippard wrote: > On Tue, Jan 19, 2021 at 12:39 PM David Aldrich < > david.aldrich.n...@gmail.com> wrote: > >> Hi Daniel >> >> Thanks for your reply. I've had a look at the Subversion book and done >> some Googling. It isn't easy to know how to configure svn on the server for >> ssh. >> >> We use the Collabnet Edge distribution of Subversion, which we believe only >> supports http/https - not svnserve. >> > > > Correct. SVN Edge does not support svnserve or SSH. That said, I > believe the svnserve binary is included. So if you want to use it, then it > would be up to you to configure everything for it. Might be easier to just > look for another way to inject a secret into your script. I think, as an > example, there are Jenkins plugins that can take a secure Jenkins > credential and set them as environment variable for the job. So your script > could get the password from an environment variable. > > As with everything Jenkins there is probably more than one way to do this, > but here is one I have used: > > https://plugins.jenkins.io/credentials-binding/ > > Mark >
Re: svn info tree conflicts bug using svn 1.10.6?
On Tue, Jan 19, 2021 at 12:45 PM Matthews, David wrote: > > I appear to be getting incorrect results reported by "svn info --xml" for a > file which has tree conflicts. > > I'm testing with svn 1.10.6 (and 1.9.12 which doesn't have this problem). Without digging deeper yet, I see it with 1.13.0 as well: 'svn info' output is correct, but with '--xml' it shows the wrong right side of conflict. Thanks for the reproduction script and version numbers. This information is extremely helpful. I'll let you know what I find... Nathan
Re: Can I authenticate to Subversion using ssh?
On Tue, Jan 19, 2021 at 5:03 AM Daniel Sahlberg wrote: > > Den tis 19 jan. 2021 kl 10:47 skrev David Aldrich > : >> >> Hi >> >> We run a Jenkins job that lists the branches and tags of a certain svn >> repository by running 'svn ls'. >> >> The command, of course, requires svn authentication and so a password must >> be provided. Jenkins has a svn plugin which allows it to check out from svn >> repositories, using stored credentials, before running a job. As far as I >> know, the job itself can't access those credentials. The job script could >> provide the password but that is very insecure. I have gotten around this in >> the past by using gnome keyring, but I find that very hard to install on a >> headless server, so I have a problem of how to provide the password. >> >> So my question is: is it possible to authenticate to svn, i.e. run svn >> commands, using ssh key-based authentication instead of using a password? >> >> If so, can you point me in the right direction please? > > > This is possible to tunnel the connection through SSH in which case you only > need to authenticate the SSH connection (for example using keys). However it > require some support/configuration on the server side so it depends on the > server. > > The process is fairly well described in the Subversion book: > http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html It does require some thought. It can be noticeably easier to support than httpd and mod_dav based access, especially when a webserver is already in place and doing a lot of production critical work.
Re: svn info tree conflicts bug using svn 1.10.6?
In article hartman.nat...@gmail.com writes: > On Tue, Jan 19, 2021 at 12:45 PM Matthews, David > wrote: > > > > I appear to be getting incorrect results reported by "svn info --xml" for a > > file which has tree conflicts. > > > > I'm testing with svn 1.10.6 (and 1.9.12 which doesn't have this problem). > > Without digging deeper yet, I see it with 1.13.0 as well: 'svn info' > output is correct, but with '--xml' it shows the wrong right side of > conflict. ... and trunk r1885656 as well. Parhaps this will fix it: [[[ Index: subversion/svn/cl-conflicts.c === --- subversion/svn/cl-conflicts.c (revision 1885656) +++ subversion/svn/cl-conflicts.c (working copy) @@ -452,7 +452,7 @@ repos_root_url, repos_relpath, peg_rev, node_kind, pool)); - SVN_ERR(svn_client_conflict_get_incoming_old_repos_location(&repos_relpath, + SVN_ERR(svn_client_conflict_get_incoming_new_repos_location(&repos_relpath, &peg_rev, &node_kind, conflict, ]]] Cheers, -- Yasuhito FUTATSUKI
