1. install subversion
2. install cygwin with 'openssh', 'tcp_wrappers', 'zlib', and 'syslog-ng'
3. add system environment variable CYGWIN = ntsec tty, and add path to cygwin/bin
4. log in cygwin with administrator, run ssh-host-config, use privilege separation to automaticlly create cyg_server user in windows, yes to create local user, yes to install sshd as service, answer CYGWIN= "ntsec tty" as environment variable above.
5. edit /etc/hosts.allow, remove 'allow: PARANOID: deny', otherwise those host with unmatched address will be denied!
6. run syslog-ng-config, add following to log sshd information to separate log file
destination ssh {
file("/var/log/sshd.log");
};
filter f_ssh {
program("sshd");
};
log {
source(s_local);
filter(f_ssh);
destination(ssh);
};
7. cygrunsrv -S sshd
and cygrunsrv -S syslog-ng
to start both services
7.5 create user 'svnuser' in windows for running the tunneling of subversion through ssh
8. clone windows user information to cygwin:
mkpasswd -cl > /etc/passwd
mkgroup --local > /etc/group
9. up to now, ssh should allow login, otherwise check log file at /var/log/message or /var/log/sshd.log
10. create ssh certificates: private key and public key two files
10.a use ssh-keygen or
10.b use puttygen.exe
11. append public.key to .ssh/authorized_keys
12. in clients, use putty to read the private.key file, in case of 10.a creation of key file, use puttygen to convert to the format for putty, save as key.ppk file, then set private key file for authentication in putty's Connection' SSH' Auth setting, set auto-login username to 'svnuser' the same in step 7.5
13. for safety, edit /etc/sshd_config to use pubkey login only, deny password login, deny empty password
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
14. key part, to add different users using same windows account to svnserve, add the following in addition to appended .ssh/authorized_keys, it actually sets the command to be excuted once the private/public key are matched for ssh login, and it tunnels svnserve through the channel.
command="svnserve -t -r
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,
no-pty ssh-rsa
this has to be one line, where ssh-rsa
15. in client machine, in order to access svn+ssh, you need the private.key, open putty, and create a session named 'somesession' (which is stored in registry of windows), configure it to proper ip address, add the path to private.key in Connection' SSH' Auth setting
16. in tortoiseSVN, check out svn+ssh://svnuser@somesession/repos, it actually can read the sessions configuration from putty to access the private.key to login, because tortoiseSVN use plink from putty to login
Enjoy the pain and have fun.
没有评论:
发表评论