Subversion auth using SSH external key-pair

Usually, when using Subversion’s SSH authentication facility, Subversion’s client will make use of your own SSH-generated key-pair and read it from the proper location, usually $HOME/.ssh. However, there could be situations when you’ll need to use a different key-pair. In such situations you can use a nice trick to have svn+ssh authentication work smoothly.

Let’s say you have an external key-pair, the public key is already configured on the Subversion server. You have the private key stored somewhere in your home directory. Now when issuing a svn checkout you’ll find that you will need some sort of SSH’s -i parameter to tell svn to use your external key-pair for authentication. Since there is not way to instruct Subversion’s client to do so, you’ll need to use a system environment variable.

Subversion makes your life easier by providing the $SVN_SSH environment variable. This variable allows you to put the ssh command and modifiers that fit your authentication needs. For our external key-pair use case, you can do something like:

export SVN_SSH="ssh -i </path/to/external-key>"

Now, next time you use Subversion svn+ssh authentication facility, the client will read $SVN_SSH and instance a ssh tunnel using the parameters you have defined. Once it has successfully authenticated you can use Subversion commands such as checkout, commit, etc in the same fashion you would normally do.

svn co svn+ssh://rudy@somesvnserver.at.somwhere.org/repo/for/software

Alternatives

Jeff Epler offered great advice with a more flexible approach using .ssh/config and key-pairs based on hostname.

Host svn.example.com
IdentityFile %d/.ssh/id_rsa-svn.example.com
Host svn2.coder.com
IdentityFile %d/.ssh/id_rsa-svn2.coder.com

  • Jeff Epler

    This means you potentially need to set a different environment variable each time you change your svn project.

    Instead, use ~/.ssh/config to set a different IdentityFile based on the host name, something like:

    Host svn.example.com
    IdentityFile %d/.ssh/id_rsa-svn.example.com

  • Right, that’s a good point. Your approach is a lot more flexible, I’ll try it.