Automatic authentication with Subversion

Question

I have an SVN server I connect to with ssh+svn. When checking out a particular directory containing a lot of svn:external repositories, I have to enter my password numerous times.

1. How do I set up my Subversion client to automatically authenticate?
2. Where is the documentation for this?

Answer 1

I don't know about the built-in mechanism of SVN to do automatic SSH authentication. But you can use the Public Key authentication mechanism from SSH :

Here is a short tutorial on how to do that : http://www.petefreitag.com/item/532.cfm You can easily find more information on the internet about this.

Since it can be useful, here's a more detailed guide, with information about Agent Forwarding : http://unixwiz.net/techtips/ssh-agent-forwarding.html

Some basics about Public Key authentication

There's different way for the remote SSH server to authenticate you when you try to login. The classic password is one of them. But it is also possible to use a mechanism based on asynchronous keys.

You create a key pair on your local machine : a private one and a public one. You must then distribute the public key to all remote SSH server where you want to log. It is really important that the private key is never distributed.

When you try to login, the remote server send a challenge which is encrypted with the private key. If you're familiar with asynchronous cryptography, you know that only the public key can now decipher said encrypted challenge. So, when the server receives the response, it can decipher it and if the answer and the challenge are identical, you are authenticated.

No more password needed for you SVN operations or any other SSH connection to this remote machine.

SSH-agent

One more information about ssh-agents.

When you create your key pair, ssh-keygen will ask for a password to further encrypt the private key to improve its security. You can leave this password blank, this way you won't have to enter a password when using the key.

However, if you choose a password, each time you want to use the key, you must enter the password, which will be the same as using password authentication with SSH. But there's a neat solution : the ssh-agent.

An agent is a little daemon which will store your keys in memory. When you add the key to the agent with ssh-add, it will first ask you for your password and then, each time the SSH client will need the key, it will ask the agent, so no more password.

In my second link, you'll find information about agent forwarding, which is also a good reason to use an ssh-agent.

I hope I'm clear, otherwise ask any questions you want.

Answer 2

SVN supports storing authentication - which is useful for avoiding having to authenticate for each svn:external. See the config and README.txt file located at ~/.subversion.

The first part of the config file should be the authentication section:

### Section for authentication and authorization customizations.
[auth]
### Set store-passwords to 'no' to avoid storing passwords in the
### auth/ area of your config directory.  It defaults to 'yes'.
### Note that this option only prevents saving of *new* passwords;
### it doesn't invalidate existing passwords.  (To do that, remove
### the cache files by hand as described in the Subversion book.)
store-passwords = yes
### Set store-auth-creds to 'no' to avoid storing any subversion
### credentials in the auth/ area of your config directory.
### It defaults to 'yes'.  Note that this option only prevents
### saving of *new* credentials;  it doesn't invalidate existing
### caches.  (To do that, remove the cache files by hand.)
# store-auth-creds = no

It looks like the keys are stored in ~/.subversion/auth (on Unix at least).

In my test I was asked to authenticate the first time checking out from an svn:external as part of a checkout of the trunk. Subsequent svn updates of the trunk did not issue a authentication challenge for update of the external.

I second the use of ssh keys for getting to your repo though. This info is just specific to SVN authentication.