Page MenuHomePhabricator
Create Task
Maniphest T11781

Hosted SVN repo doesn't work with SSH on nondefaut port
Open, Needs TriagePublic
Actions

Description

There are some problems with diffusion hosted svn repo used with SSH server running on nondefault port (2222):

  1. Checkout command suggested by diffusion web doesn't work because svn command doesn't support port specification in repo URL:
$ svn checkout svn+ssh://vcs@p.local:2222/diffusion/25/ media-samples
svn: E170013: Unable to connect to a repository at URL 'svn+ssh://vcs@p.local:2222/diffusion/25'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly
  1. Standard svn method to specify port - svn tunnel and ssh alias - doesn't work either:
$ svn checkout svn+tunnel://vcs@p.local/diffusion/25/ media-samples
phabricator-ssh-exec: Protocol for URI "svn+tunnel://vcs@p.local/diffusion/25" MUST be "svn+ssh".

$ svn checkout svn+ssh://vcs@p_svn/diffusion/25/ media-samples
phabricator-ssh-exec: Protocol for URI "svn+ssh://vcs@p_svn/diffusion/25" MUST be "svn+ssh".

It seems that protocol restriction can be relaxed to startsWith('svn+') without any security implications.

phabricator 27006fedccc2f487dcaf7177f6d127ccd0e6df7d (Sat, Sep 24)
arcanist e7906e47cba2006fa46553d462abf1f685845f20 (Sat, Sep 24)
phutil 518dacd785fb19d67643e4a113e99b8825a87f99 (Sat, Sep 24)
libphalias Unknown
svn, version 1.9.3 (r1718519)

Related Objects

Event Timeline

alex3d created this task.Oct 21 2016, 7:56 PM
avivey added a subscriber: avivey.Oct 28 2016, 4:14 PM

Protocol for URI "svn+ssh://..." MUST be "svn+ssh".

what

epriestley moved this task from Backlog to Subversion on the Diffusion board.Feb 2 2017, 4:11 PM
pkrishnan added a subscriber: pkrishnan.Mar 29 2017, 11:54 PM
pkrishnan added a comment.Mar 31 2017, 4:45 PM

Stumbled on this issue while trying to set up my first ever SVN repo through Phabricator. However got it working with the alternate solutions found in Phabrictor documentation itself and online forums(these may be obvious to regular SVN users already).

Option 1: < attempted above , use tunnels >.

Edit ~/.subversion/config :
  Under "Section for configuring tunnel agents", add below two lines:
      [tunnels]
      ssh = ssh -p 2222
  Then, "svn checkout svn+ssh://vcs@<host>/diffusion/N/ XYZ" works.
OR
  just use:  svn checkout svn+ssh://vcs@<host>/diffusion/N/ XYZ --config-option="config:tunnels:ssh=ssh -p 2222"
 
For git, this custom ssh port in URI does not pose an issue. ssh://vcs@<host>:<port>/diffusion/X/XYZ.git works.

Option 2:

Use the environment variable SVN_SSH: (~/.bashrc or ~/.cshrc):
    export SVN_SSH="ssh -p 2222"
    source ~/.bashrc
Then, "svn checkout svn+ssh://vcs@<host>/diffusion/N/ XYZ" works.

Option 3:

Edit ~/.ssh/config
      host phab-vcs-use-only
        hostname <phabricator hostname or IP>
        port 2222
      host phab-general-use
        hostname <phabricator hostname or IP>
Then, "svn checkout svn+ssh://vcs@<host>/diffusion/N/ XYZ" works.

Now, w.ref.to the documentation https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ - Section: "SSHD Port Assignment" -> "Change Client Config":

I see that the Phabricator documentation talks about option-3 above, in general for git or svn. It will be great if the step "Change Client Config" is documented as a mandatory step for SVN at least, as it currently seems to reject URI with the custom port in it. A note in the troubleshooting section may also help. Would you please review/update this part of documentation?

epriestley mentioned this in T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).Aug 11 2017, 12:50 PM
nickhutchinson added a subscriber: nickhutchinson.Aug 18 2017, 7:16 AM
pasik added a subscriber: pasik.May 12 2018, 1:55 PM
Phabricator · Built by Phacility