Web App: Juvely

Welcome back! Sorry about the delay, but things have been hectic with this revision lark I am supposed to be doing. This is the third part of my SVN+SSH with multiple users and password less logins tutorial. In the first part we looked at how to setup the command line SVN client to allow multiple users to access a Subversion repository via SVN+SSH. In the second part we looked at setting up password less logins with an SSH agent and public-private key authentication. This final tutorial will look at setting up a graphical SVN client to use all of this.

What you need
On Windows I suggest you use Tortoise SVN (made by the same people who make Subversion) and on OS X I suggest you use svnX. Tortoise SVN integrates very nicely into Windows Explorer and provides you with near enough all of the functions of the command line SVN client. Unfortunately svnX doesn’t integrate the same way into Finder, and has a few bugs in places. I will go into these a bit later when I cover OS X.

Windows
TortoiseSVN is nice and easy to install, just download the installer from the website and then run it. Simple as that! Before we start, if you have not already, open up Pageant and load up your private keys. If you can’t remember how have a look at the last tutorial.

Not to checkout a working copy from the repository. First create a directory somewhere to store the working copy with Windows Explorer. If you right click on this folder you will see a copy of new items on the menu, these are for Tortoise SVN. From the list select SVN Checkout.

In the URL for repository, enter the URL you used in the first tutorial and click the OK button.

svn+ssh://[your-username]@[your-domain]/[path-to-repo]/

You will now get a new window popup, and depending on the speed of your connection it may take a while before anything happens. When it starts all of the files in the repository will be listed and checked-out. When it has finished it will say it has completed.

If you now open this folder you will see all the files you have checked out. The file and folder icons will have another icon on top which shows the status of the file. If it is a green tick it means that is the latest version, if there is a red exclamation mark it means changes have been made to that file that have not been committed. If you want to revert these changes right click on the file and from the Tortoise SVN menu select Revert.

If you want to add a new file or folder to the working copy right click on it and from the Tortoise SVN menu select Add. Once you have made the changes you want to commit them right click on the top folder and from the menu select SVN Commit. The top box allows you to enter a commit message and the bottom box allows you to select which files to commit.

More information about how to use Tortoise SVN can be found in the online manual.

OS X
svnX, as with any other OS X application, is easy to install. Just drag it to Applications or wherever you want it. svnX has a rather easy to get confused layout, so if you can’t see the window you are looking for have a look in the Window menu item. Also if you haven’t already open SSHKeychain and add your private keys. If you can’t remember how have a look at the last tutorial.

First open up the Repositories window where we need to add your repository. The name can be anything you want, then in the path enter the URL you used in the first tutorial. Next double click on the new entry in the list and hopefully your repository should be listed!

svn+ssh://[your-username]@[your-domain]/[path-to-repo]/

To checkout a working copy click the svn checkout button at the top and then select a folder to check it out to. Once you have done this the Working Copies window should appear and list your working copy. If you look at the activity bar at the bottom of the window for your repository you can see when it has finished checking out (it will dissapear). If you now double click on the entry for your working copy you can close the rest of the windows.

This window will list any changes (if any) made to the repository. A question mark means that file or folder has been added, an exclamation mark means it is missing. In this case either click the add or remove button to make changes, and then the question mark changes to an A and the exclamation mark changes to a D. If a file has been modified it will have an M next to it.

Now to commit the changes you need to select all the files you want to commit - I know it sounds silly but I keep forgetting to select all the files and it is really annoying - and then click the commit button. A box will popup asking for your commit message and then click Commit to save it. If you want to revert any changes select the file to revert and click the Revert button!

Now hopefully you should be up and running with a good version control system! If you have any problems or any other questions don’t hesitate to leave a comment below! The same applies if I forget anything or made a big mistake!

Right, I have been busy over the last few days creating our MVC engine and have finally finished (more about it in another post I expect). Anyway, this is the second bit of my little SVN+SSH with multiple users and password less logins tutorial. In the last tutorial will covered the main bits, and in this one we are going to cover setting up password less logins.

So how do we do password-less logins? Surely that would be insecure? Well thankgoodness it isn’t. Basically we generate two keys, a private key and a public key. The public key you can allow everybody to know, but the private key you keep secret. You then use the private key to create a signature, which is verified by the server with the public key. If it is correct you are allowed in.

Setting up your keys
In this and the next tutorial and I am going to give instructions on how to set this up for Windows and OS X, so lets start off with Windows as that requires the most effort.

Head over to the PuTTY download page and grab PuTTY, PuTTYgen and Pageant. For this first bit you will only need PuTTYgen, so launch that when it has downloaded.

When you have launched PuTTYgen select the SSH-2 DSA option at the bottom and then click the Generate button. It will ask you to move your mouse to generate some random events, and show you a progress bar.

Once it has finished it will show you the public key in the big box at the top. You will need this for later so either leave Pageant open or copy and paste it into Notepad. You need to keep it as one line so don’t press enter.

In the key passphrase and confirm passphrase bit you need to enter your passphrase. Once you have done that click the save private key button to save a copy of your private key.

OS X is easy, and you don’t have to even download anything. Open up Terminal and run the following command:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/luca/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/luca/.ssh/id_dsa.
Your public key has been saved in /Users/luca/.ssh/id_dsa.
The key fingerprint is:
[A long hex string] luca@mboz

This will create the key for you automatically, and then ask you where to save it. Just press enter and it will save it in the file in brackets. When it asks you for a passphrase enter it, it needs to be at least 5 characters long.

Ok, so lets go over what we have just done. We have generated a public and private key pair from random events, and entered a passphrase. This passphrase is used to encrypt the private key so that nobody can use it without the passphrase. If you forget your passphrase you will have to regenerate your keys as it cannot be recovered.

Now, hopefully somebody will have found a flaw in this. The passphrase is used to encrypt the private key, so in order to decrypt it the passphrase will be needed. Right - but more on that later.

Setting up the server
This is another easy bit, but as before is more compilicated if you are on Windows. PuTTY is an SSH client for Windows, so open it up and in the hostname field enter the address of your server. Click on the Open button and then enter your username and password when it asks.

Now you need to put the public key (the bit in the big box) into a file called ~/.ssh/authorized_keys. The easiest way to do this is to type echo ” and then paste your key in by right clicking and then typing ” > ~/.ssh/authorized_keys and pressing enter. If you don’t get any errors everything hopefully went alright.

Now onto the bit that had me stuck for hours, you need to change the access settings on this file so that it is readable to everything, so enter chmod 755 ~/.ssh/authorized_keys and press enter.

OS X is easy as usual, but we will do it a slightly different way to Windows. We are going to use SCP to copy the public key to the server and then copy this into the authorized keys file. To copy the public key type:

$ scp ~/.ssh/id_dsa.pub [your-username]@[your-server]:.ssh/id_dsa.pub
Password:
id_dsa.pub                               100% 1111     1.1KB/s   00:00

If the .ssh directory does not exist you will have to SSH in first and create it. Next we need to copy it into the authorized_keys file and set the file permissions.

$ cat ~/.ssh/id_dsa.pub > ~/.ssh/authorized_keys
$ chmod 755 ~/.ssh/authorized_keys

Setting up your SSH client
Now we have setup our server to know what our public keys are so now we need to set up our SSH client to send the private key.

When you have launched PuTTY go to Connection -> SSH -> Auth on the left hand side. Under the private key bit click Browse and find the location where you saved your private key. If you open the connection again it will ask you for the passphrase:

login as: luca
Authenticating with public key "dsa-key-20070105"
Passphrase for key "dsa-key-20070105":

Once you have done that you should have a prompt!

OS X is super easy compared to that, assuming you save it in the default location of ~/.ssh/id_dsa if you SSH in again it should ask you for the passphrase straight away, so enter it and make sure it works!

Ok, so now we can connect with ours keys, but will still need to enter something, the passphrase, so how do we solve that? Onto the next section…

The Agent
Sorry, but I am not talking about a bloke from the FBI. In order to use your keys without you having to enter a passphrase you need to use an agent program.

Under Windows we will use Pageant. To run it just drag your private key onto the Pageant icon and a window will popup asking you for the private key. Enter it and click ok. Now as long as Pageant is running you won’t need to enter your private key! Unfortunately (depending on how you look at it) Pageant does not store your passphrase on disk, it just decrypts your private key and keeps it in memory. This means each time you run it your have to enter your passphrase.

Now as another unfortunate it doesn’t even keep track of which keys it has, so you have to load them in again each time it starts. Luckily it takes command line options so you can create a .bat file which will load your key:

pageant.exe myprivatekey.ppk

If you launch that it will then ask for your passphrase and go back to working. If you run PuTTY again and connect to your server you will see it doesn’t ask for your passphrase!

OS X is a bit more difficult (** shock **) but it keeps track of your passphrase even if you reboot. To keep things secure it stores your passphrase into the Apple Keychain. Anyway, go over to the SSH Keychain website and download whatever the latest version is.

Once you have installed it and run it you should get a little icon in the menu up the top next to where the wireless icon is (does this place have a proper name?). If you click on this and then select Agent -> Add Keys an open file dialouge will appear. Select your id_dsa file, and then it will open a box asking you for your passphrase. Enter it, and then select the option to save it in your keychain and then click OK. Now a couple more things, select the Preferences option for SSH Keychain and go to Enviroment and enable the option there.

If you now open up the terminal you should be able to SSH into your server without needing a key!

Now hopefully you should have password-less SSH logins, if you haven’t go back through everything or leave a comment and I will see if I can help. The next tutorial will be about setting up our SVN GUI programs.

Here at the Juvely blog we are not just going to document what we have done, we are also going to share our experiences and explain how to do things to other people. I am going to start this off by showing you how I set up our Subversion repository to allow SVN+SSH access for multiple users and password less logins.

Here is what I am going to go cover:

• Setting up the repository
• How to setup multiuser access
• How to configure the command line SVN client
• And in the next two articles, how to setup graphical clients under OS X and Windows and password-less logins

The process may sound daunting but it is rather simple once you know how. I have spend hours searching the web to find out why it wasn’t working and haven’t found a tutorial which
easily covers all of this, so here goes.

Setting up the repository
In order to allow multiple access to the repository you will need an SSH account for each user. So that they all have access to the repository they will need to be in the same group and permissions on the repository will need to allow read/write access to group members.

$ svnadmin create --fs-type fsfs [your-repo]
$ chown -R :[your-group] [your-repo]
$ chmod -R 775 [your-repo]

This will first create an SVN repository for you, named [your-repo]. Then set all the files in this so they are owned by [your-group], and then finally change the permissions so that the owner and group members have read, write and execute permissions on the repository. Other users will have read and execute permissions.

Setting up users
In order to allow multiple users to access the repository, each user will require an SSH account. You will need to set the file creation mask for each of these users so that all the new files they create will have the same permissions. The easiest way to do this is to get them to SSH into the server and put umask 002 into their ~/.bash_profile (or equivalent for whatever shell you are using).

$ echo "umask 002" >> ~/.bash_profile

Setting up command line SVN access
Now, if everything is working correctly you should be able to use the command line SVN client to connect to the repository. Lets start off by importing some stuff:

$ svn import trunk svn+ssh://[your-username]@[your-domain]/[path-to-repo]/ -m “Initial import”
Password:
Password:
Password:
Adding         trunk/file

Committed revision 1.

This command will import a folder, and contents, called trunk with the message Initial import!

The username and domain should be easy as it is the same settings as are used for SSH. The path to the repository is the full path including the name of the repository you created way-back in the first command.

You will probably be prompted for your password several times, and then you will see a list of files that are being added. If you want to check that everything went ok you can get SVN to list the contents of the repository:

$ svn ls svn+ssh://[your-username]@[your-domain]/[path-to-repo]/
file

If you get a command saying that no repository was found make sure that you have the correct full path to the repository.

Well, that about sums it up for this tutorial! In the next tutorial I will describe howto setup public-private key authentication and then use an agent program to keep hold of this key so you don’t have to keep entering your passphrase.

If you have seen any major flaws or have any questions feel free to leave a comment!