Using subversion via a 2-hop ssh tunnel

Author: Duane Johnson

20 Jan

I have an account at the Computer Science department at BYU where I go to school. I recently started a subversion repository there so that I could work on some class projects within the safety net of version control. That worked well until I realized it would be nice to work on a certain project at home. To accomplish this, my first thought was “How do I access my subversion repository from home?” Alas, it appears there is no centralized location at BYU for this sort of thing. CVS, yes; SVN, no. Back to square one.

My next thought was, “Well, alright then, I’ll just host my repository somewhere else.” No go. Unfortunately, outgoing packets on non-standard ports are (apparently) being dropped. Using the svn client to get an external repository just hangs.

Plan C—using a 2-hop ssh tunnel to access my private repository—turned out to be the winner. It was, however, more difficult than I thought. Especially since I didn’t know what a 2-hop ssh tunnel is.

So here’s a run-down of the process if, in an oddly similar situation, you’d like to do it as well:

Create a 2-hop tunnel to your account. This was necessary in my situation since the BYU Computer Science lab has a gateway machine to the internal network.
ssh -f -N -l <ssh username> -L 51526:racquetball:22 -2 cs.byu.edu

Where racquetball is the hostname of the computer on the inside of the network (the “end” of the tunnel), and cs.byu.edu is the gateway machine. Replace <ssh username> with your own ssh username. The “51526″ is the port number on your local machine to which you will connect from now on. This is the “beginning” of the tunnel.
Add a tunnel config entry to your .subversion/config file. If you’ve ever used subversion on your own machine, then you will already have a .subversion/config file in your home directory. Find the “[tunnels]” section and add your own protocol. This is what mine looks like:
byussh = ssh -l <ssh username> -p 51526

Once again, replace <ssh username> with your own username.
Finally, use the svn client to access your repository. Note that the path is the full path on the destination machine (e.g. racquetball in my case).
```
svn ls svn+byussh://localhost/users/guest/d/<username>/subversion
```
Replace <username> with your account user name.

In the above scenario, I am telling svn to ssh to a local port (localhost:51526) as another user (me, on the other network). The local port listens for ssh connections and tunnels them directly to the racquetball end point. At that point, the “svnserve -t” command is executed and the subversion repository is accessed almost as if it were a local file:/// style protocol. Note that there is no other svnserve daemon required in this case—it’s created on demand.

Filed under: Software Engineering

5 Responses for "Using subversion via a 2-hop ssh tunnel"

Racquetball » Blog Archives » Using subversion via a 2-hop ssh tunnel January 27th, 2007 at 12:00 pm 1
[...] is the hostname of the computer on the inside of the network (the end of the tunnel), and cs.byu.edu is the gateway machine. Replace with your own ssh username. The 51526 is the port number on your … – More – [...]
Mark Davis May 3rd, 2007 at 10:19 am 2
Pardon my ignorance - I am a bit of a subversion newbie. Could you tell me if my situation is similar to the problem you are fixing. I set up and use an SVN server for storing all my code - the SVN is running on a windows server and all is fine.

However where I work has several private subnets where each subnet has one dual-homed server with network cards on both the private subnet and the public/intranet one (each private subnet is a manufacturing line).

Is it possible for me to set up some knd of proxy/other that could sit on the dual homed servers that clients on the private/manufacturing subnets could use to check code in and out of a common sSVN server (on the public network..?).

You seem like the kind of person who might be able to anser a question like this!
Duane Johnson May 4th, 2007 at 6:12 pm 3
Hi Mark,

Yes, this sounds like the right situation to use the tip I wrote about. The main thing to check is that you can somehow ssh to a machine (A) within the subnet where your windows machine (B) lives. If you can check code out on that machine (A) then this double-hop trick should work.
Henry August 30th, 2007 at 1:45 am 4
Hi Mark,

You saved the day! It works out-of-the-box for me.
One just needs to add the automatic ssh login and everything is perfect!
David Hilton March 3rd, 2008 at 11:29 pm 5
If you haven’t already seen it (it has been a year since your post), svn co svn+ssh://username@schizo.cs.byu.edu/complete/path/to/repo
works pretty well.

Your approach definitely has its advantages, though.
Sometimes we don’t get traffic directly through from our isp to cs.byu.edu, and this could be very useful for getting access (as long as you can route access through another server somewhere…)

See you in class.