svnserve on RHEL - shawfdong/hyades GitHub Wiki

The goal is to set up svnserve for svn repository access using the svn network protocol on a server running RHEL or one of the clones (CentOS and Scientific Linux). We'll configure svnserve to use the Cyrus Simple Authentication and Security Layer (SASL) library for authentication and encryption if the svn client is built with SASL library (e.g., those on most of the popular Linux distros); and to fall back on using the built-in CRAM-MD5 mechanism for authentication (but no encryption) if the client is not built with SASL library (e.g., the stock svn client on Mac OS X).

1. Check the capabilities of the server and clients

The server (server.example.com) is a Linux box running Scientific Linux 6.2 (a RHEL clone). The RPM package subversion provides both the svn client and svnserve. Let's check their capabilities:

[root@server ~]# svn --version
* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
[root@server ~]# svnserve --version
Cyrus SASL authentication is available.

Good! Both the svn client and svnserve on the Linux box are built with the Cyrus SASL library. However, the stock svn client on Mac OS X is not:

dong@bigmac:~$ /usr/bin/svn --version
* ra_svn : Module for accessing a repository using the svn network protocol.
  - handles 'svn' scheme

Thus, the stock svn client on Mac OS X only supports the built-in CRAM-MD5 authentication. It does not support encryption either, so passwords will be transmitted in plain text!

2. Create the svn group and user

[root@server ~]# groupadd -g 502 svn
[root@server ~]# useradd -c "SVN" -d /var/svn -g 502 -u 502 -s /sbin/nologin -M svn

3. Create a svn repository on the server

[root@server ~]# mkdir -p /var/svn
[root@server ~]# cd /var/svn
[root@server ~]# svnadmin create repos
[root@server ~]# chown -R svn:svn /var/svn/

4. Enable svnserve as an xinetd service

Create an xinetd configuration file (/etc/xinetd.d/svn) for svnserve (the service will run as user svn):

# description: svnserve allows access to Subversion repositories using
#              the svn network protocol.
service svn
{
	disable			= no
	port			= 3690
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= svn
	server			= /usr/bin/svnserve
	server_args		= -i -r /var/svn/repos
}

5. Enable SASL for svnserve

Modify the svnserve configuration (/var/svn/repos/conf/svnserve.conf) to enable SASL:

[general]
anon-access = none
auth-access = write
### If SASL is enabled, this file will NOT be used.
password-db = passwd
# authz-db = authz
### The default realm is repository's uuid.
# realm = SVN_on_HPC

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256

Since the svn client on Mac OS X does not support encryption, we have to set min-encryption to 0; but the Linux svn client will use max-encryption of 256. SASL provides a myriad of authentication mechanisms. Here we choose the DIGEST-MD5 mechanism for clients with SASL support, and CRAM-MD5 as a fallback for clients without SASL support.

Make sure the RPM package cyrus-sasl-md5 has been installed on the Linux box:

[root@server ~]# rpm -q cyrus-sasl-md5
cyrus-sasl-md5-2.1.23-8.el6.x86_64

Create the file /etc/sasl2/svn.conf, with the following content:

### /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/svn_sasldb
mech_list: DIGEST-MD5 CRAM-MD5

Populate the private password database /etc/svn_sasldb, using the program saslpasswd2 to add or modify usernames and passwords in the database:

[root@server ~]# saslpasswd2 -c -f /etc/svn_sasldb -u realm username

Here realm is the realm defined in /var/svn/repos/conf/svnserve.conf, which is by default the repository's uuid. We can get the uuid with:

[root@server ~]# cat /var/svn/repos/db/uuid

Don't forget to change the owner of the password database; otherwise the svnserve service won't be able to read it.

[root@server ~]# chown svn:svn svn_sasldb

6. Restart xinetd

[root@server ~]# service xinetd restart

We can test that svnserve is up and running, using the humble telnet:

username@server:~$ telnet localhost 3690
Trying ::1...
Connected to localhost.
Escape character is '^]'.
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) )

Further Reading

This article only covers serving SVN repository using svnserve. Another popular option is to use the Apache web server (along with the mod_dav_svn module), for which a good guide is available on CentOS Wiki.

To learn more about svn, I highly recommend the excellent free book Version Control with Subversion.

⚠️ **GitHub.com Fallback** ⚠️