====== Subversion ======

Subversion is definitely one of the best revision control systems out there.

===== Server Setup =====

You can run a Subversion server several ways:
  - plain svnserve, optionally via (x)inetd
  - via Apache using WebDAV
  - tunneled via SSH

This Howto describes only the last method mentioned, as the first one is simply insecure and the second one too bloaty.

==== Setup A Dedicated User ====

This setup makes use of a single user account for all subversion users. So create one:
  useradd -b /var/svn -c "dedicated SVN+SSH account" -n svn
the newly created user won't get his own home, but his basedir is ///var/svn// which is the
base directory of all subversion repositories.

I don't trust in users setting up their own accepted_keys files, so I configured OpenSSH to use
a dedicated directory for all accepted_keys files which is only writable by root:
<file>
AuthorizedKeysFile      /etc/ssh/authorized_keys_files/%u
</file>
the following instructions assume this setup.

Next, edit ///etc/ssh/authorized_keys_files/svn// and add lines of the following syntax:
  command="/usr/local/bin/svnserve -t --tunnel-user=<USER>",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE KEY COMMENT
replace **<USER>** with the name of the user owning the **KEY**. **TYPE**, **KEY** and **COMMENT** are the same as the fields found in regular authorized_keys files.

==== Create A Wrapper-Script for svnserve ====

The big problem when using ''svnserve'' via SSH is setting the umask correctly. Therefore create a wrapper at the path referenced in
svn's authorized_keys file:
<file>
#!/bin/sh
umask 002
. /etc/conf.d/svnserve
/usr/bin/svnserve $SVNSERVE_OPTS "$@"
</file>
parsing ///etc/conf.d/svnserve// is just for getting the content of **SVNSERVE_OPTS**. On my system the file looks like:
<file>
SVNSERVE_OPTS="--root=/var/svn"
</file>
which prevents users from having to use the full path of the filesystem to access the repositories.



==== Fix Access Rights Of Your Repositories ====

All repositories have to be:
  * kept within ///var/svn//
  * owned by the group ''svn''
  * group-writable

===== Client Setup =====

So far there is nothing more to do than checking out the desired repository,
specifying **svn** as username:
  svn co svn+ssh://svn@<hostname>/<repo>