tags:

views:

1333

answers:

3

I can't figure out how to create public / private keys for other users on my server. On my server, I type the following through the shell

(uiserver):john:> ssh-keygen -t dsa

After that, I enter the filenames and password, which successfully results in a private key and public key pair for "john". Now when I use this key to ssh into my subversion repository (sitting on john), all actions are logged as "john". That's perfect.

So next, I want to create a public /private key pair for "george" so he can access my server. I repeated the ssh-keygen from my server. Then I gave the private key to George. George successfully installed the key, but every time he performs an action in the svn repository, subversion logs his actions as "john" instead of "george". How do I get subversion to recognize the difference between "george" and "john"?

I looked in authorized_keys2 and I noticed that the final comment for both keys is "john@uiserver". I tried editing the comment, but subversion still can't recognize the difference between george and john.

Additional Detail

I have a half-working solution based on Juliano's answer. I went to "david" machine (linux), made the prv/pub keys, attached pub key to john's authorized_keys2. Perfect! SVN is logging david's changes as david.

I went to "george" machine (windows xp), used puttygen to create prv/pub keys, attached pub key to john's authorized_keys2. George can access svn, but all his changes are still logged as john. I am trying bojo's tunnel solution as soon as I figure out where to configure it in TortoiseSVN.

ANSWER

I used option 2 of bojo's answer. In the end, all I needed to do was add the following line to my authorized_keys2

command="svnserve -t --tunnel-user=george",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss <george's long public key> == meaningful comment

I also added the line

george=george's password

to my /pathtorepository/conf/passwd to my subversion password file

A: 

Is this related to this SO question, pointing to the blog entry svn over ssh prompts for the wrong username ?

The solution there was to to create a config file in george .ssh directory and putting the following in:

Host uiserver
User george
VonC
+3  A: 

Check the instructions on how to use the --tunnel-user command here at the svn manual. I imagine the reason George is showing up as John is because you aren't telling the ssh session which user it is, so it's defaulting to John's account.

To clarify, the original poster has two options.

  1. Create a new user account for George. This assumes he has super user access.
  2. Generate the second key (ideally George does this), append to the John account's .ssh/authorized_keys file, and add the above linked commands to the .ssh/authorized_users file as described. The link also describes how to limit the additional user's access to the John account.
bojo
thanks bojo, I did option 2 and everything works. I did as you and juliano recommended, which is to generate the prv and pub keys on the george's machine.
John
Good clarification (better than my answer ;) ). +1
VonC
+4  A: 

Then I gave the private key to George.

Private keys are called private for a reason. They are never intended to be transferred this way. George should create his own key pair, in his own user environment. But this is not related to the problem you are experiencing. Keys are just prime factors of a really big number (oversimplified for easy understanding). User identity is not part of the key, but a "label" that is attached to the key, that SSH doesn't make a lot of use.

From your description, you are asking George to log to John's account through SSH. What determines the user that is logged in SVN actions is not related to the key pair used for authentication in any way, but to the user that is really being logged to.

So, George must have his own account login to the SVN server, the repository must be shared by both accounts, and George must use his own credentials to login to the server.

John's URL: svn+ssh://john@svn-server/path/to/repo

George's URL: svn+ssh://george@svn-server/path/to/repo

Juliano
The key should definitely be created by George. However, in this case he then gives his public key to John, who appends the key to his .ssh/authorized_keys file, and then follows the directions in the answer I linked. Separate accounts are not required.
bojo
If you use a dedicated user account for the repository, yes. But according to the description, it is a private account, named "john". So that solution effectively makes George to log into John's private account. Not nice.
Juliano
Right, the description does say it's a private account named "john", thus my reasoning since it reads like he wants to use a single account. He could easily restrict George's shell to only use svnserve, and not actually gain shell access to the john account.
bojo
thank bojo and juliano...i got this half working. I added more details to the description of this question. Still not sure what is meant by private account?? thanks for being patient, i'm still learning this stuff
John