## 基于 svnserve 的服务器

### 简介

In most cases svnserve is easier to setup and runs faster than the Apache based server. And now that SASL support is included it is easy to secure as well.

### 安装 svnserve

1. Get the latest version of Subversion from http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=91. Alternatively get a pre-packaged installer from CollabNet at http://www.collab.net/downloads/subversion. This installer will setup svnserve as a Windows service, and also includes some of the tools you need if you are going to use SASL for security.

2. 如果你已经安装了Subversion，svnserve已经运行，你需要在继续之前把它停下来。

3. Run the Subversion installer. If you run the installer on your server (recommended) you can skip step 4.

4. 打开资源管理器，进入Subversion的安装目录(通常是C:\Program Files\Subversion)的bin目录，找到文件svnserve.exeintl3_svn.dlllibapr.dlllibapriconv.dlllibapriutil.dlllibdb*.dlllibeay32.dllssleay32.dll，复制这些文件，或所有bin目录内的文件到你的服务器目录，例如c:\svnserve

### 运行 svnserve

svnserve.exe --daemon


svnserve将会在端口3690等待请求，--daemon选项告诉svnserve以守护进程方式运行，这样在手动终止之前不会退出。

svn://localhost/repos/TestRepo


svnserve.exe --daemon --root drive:\path\to\repository\root


svnserve.exe --daemon --root c:\repos


svn://localhost/TestRepo


Svnserve 可以提供任意数量的版本库服务。只要将这些版本库放到你刚才定义的根目录下即可，然后使用相对于根的URL访问它们。

### 警告

#### 以服务形式运行 svnserve

To install svnserve as a native windows service, execute the following command all on one line to create a service which is automatically started when windows starts.

sc create svnserve binpath= "c:\svnserve\svnserve.exe --service
--root c:\repos" displayname= "Subversion" depend= tcpip
start= auto


If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:

sc create svnserve binpath= "
\"C:\Program Files\Subversion\bin\svnserve.exe\"
--service --root c:\repos" displayname= "Subversion"
depend= tcpip start= auto


You can also add a description after creating the service. This will show up in the Windows Services Manager.

sc description svnserve "Subversion server (svnserve)"


### 提示

Microsoft 现在建议服务程序使用本地服务或网络服务帐户运行，参考 The Services and Service Accounts Security Planning Guide。以本地服务帐户创建服务，需要在上面的例子里追加下面几行。

obj= "NT AUTHORITY\LocalService"


svnservice -remove


### Basic Authentication with svnserve

The default svnserve setup provides anonymous read-only access. This means that you can use an svn:// URL to checkout and update, or use the repo-browser in TortoiseSVN to view the repository, but you won't be able to commit any changes.

[general]
anon-access = write


[general]
anon-access = none
auth-access = write


[general]
anon-access = none
auth-access = write


### 使用 SASL 以便更安全

#### 什么是 SASL？

The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and TortoiseSVN client know how to make use of this library.

For a more complete discussion of the options available, you should look at the Subversion book in the section Using svnserve with SASL. If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad Internet, read on.

#### SASL 认证

To activate specific SASL mechanisms on the server, you'll need to do three things. First, create a [sasl] section in your repository's svnserve.conf file, with this key-value pair:

use-sasl = true


Second, create a file called svn.conf in a convenient location - typically in the directory where subversion is installed.

Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named [HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library] and place two new string values inside it: SearchPath set to the directory path containing the sasl*.dll plug-ins (normally in the Subversion install directory), and ConfFile set to the directory containing the svn.conf file. If you used the CollabNet installer, these registry keys will already have been created for you.

Edit the svn.conf file to contain the following:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: C:\TortoiseSVN\sasldb


The last line shows the location of the authentication database, which is a file called sasldb. This could go anywhere, but a convenient choice is the repository parent path. Make sure that the svnserve service has read access to this file.

If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.

Now that everything is set up, all you need to do is create some users and passwords. To do this you need the saslpasswd2 program. If you used the CollabNet installer, that program will be in the install directory. Use a command something like this:

saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username


The -f switch gives the database location, realm must be the same as the value you defined in your repository's svnserve.conf file, and username is exactly what you expect it to be. Note that the realm is not allowed to contain space characters.

You can list the usernames stored in the database using the sasldblistusers2 program.

#### SASL 加密

To enable or disable different levels of encryption, you can set two values in your repository's svnserve.conf file:

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256


The min-encryption and max-encryption variables control the level of encryption demanded by the server. To disable encryption completely, set both values to 0. To enable simple checksumming of data (i.e., prevent tampering and guarantee data integrity without encryption), set both values to 1. If you wish to allow (but not require) encryption, set the minimum value to 0, and the maximum value to some bit-length. To require encryption unconditionally, set both values to numbers greater than 1. In our previous example, we require clients to do at least 128-bit encryption, but no more than 256-bit encryption.

### 使用 svn+ssh 认证

Another way to authenticate users with a svnserve based server is to use a secure shell (SSH) to tunnel requests through. It is not as simple to set up as SASL, but it may be useful is some cases.

A basic method for setting up your server is given in 附录 G, 用 SSH 使服务器更安全. You can find other SSH topics within the FAQ by searching for “SSH”.

### svnserve 基于路径的授权

[general]
authz-db = authz