Windows Home Server + SSH + Subversion = Joy

Here’s how to set up a secure Subversion server under Windows Home Server. These steps assume you are familiar with Cygwin, the command line, and are not afraid to do some unapproved tinkering with your server.

Things you will need:

  • Cygwin installed on your Windows development machine. Make sure you have the OpenSSH and Subversion packages installed in Cygwin already, we’ll need those while testing the installation on the WHS.
  • An SSH key pair for your development account. If you don’t have one already, create one in Cygwin before starting by launching the ssh-user-config script (you need an SSH2 RSA key pair). If you already have an SSH key pair outside of Cygwin, make sure you update the ~/.ssh/id_rsa, ~/.ssh/id_rsa.pub and ~/.ssh/authorized_keys in Cygwin with your key pair.
  • For your Windows-based development, you will need PuTTY. It includes a Windows-based SSH client so you won’t need to go through Cygwin to use Subversion+SSH.
  • Plenty of spare time; this will take a while.

I take no responsibility if this breaks your server, you do this at your own risk, blah blah (you know the drill – if you screw up, it’s your fault not mine).

With that out of the way, here’s how to proceed:

  1. Log into your Home Server using Remote Desktop (Start -> Run -> mstsc.exe) using the Administrator account.
  2. In WHS, create the C:\Cygwin folder manually, before installing cygwin.
  3. Right-click the folder, select Properties. Go to the Security tab, click Users and check the Modify and Write boxes. After clicking Apply, the resulting permissions for Users should look like this:

    Cygwin folder permissions

    Click OK.

  4. Start the Cygwin setup on your WHS.
  5. Click Next until you reach the “Select Packages” screen.

    Set the entire Admin category to Install.
    In the Devel category, enable subversion.
    In the Editors category, include your favorite editor (I use nano).
    In the Net category, enable OpenSSH and tcp_wrappers.

    Leave the other categories to their default values and click Next.

    Go have a (small) coffee while Cygwin downloads and installs, then click Finish to close Cygwin setup.

  6. Open the C:\Cygwin folder in Explorer. Right-click the Cygwin.bat file, select Edit. After the @echo off, add the following line:

    set CYGWIN=binmode tty ntsec

    Save, then close Notepad.

  7. Click Start, right-click on My Computer, and select Properties. In the Advanced tab, click on Environment Variables. In the System variables list, select the Path variable and click Edit. Add the following to the end of the existing variable:

    ;c:\cygwin\bin

    …and OK your way out of the dialog stack.

  8. In Explorer, go to the C:\Cygwin\etc\defaults\etc folder and open the sshd_config file with Wordpad (Notepad won’t work because of the Unix linefeeds). Locate the following line:

    #UseDNS yes

    …and replace it with this:

    UseDNS no

  9. Start Cygwin using the desktop shortcut. It will create the /home directory (in Cygwin) and set up the Administrator account. You should see the standard prompt:

    Administrator@HPSERVER ~
    $

  10. Time to configure SSH. Launch ssh-host-config and answer yes to all questions. When the script asks for a password for the new sshd_server user, enter your WHS Administrator password. At the “CYGWIN=” question, answer with “binmode ntsec tty” (without the quotes).

    DO NOT INTERRUPT THE SSH HOST CONFIG SCRIPT WHILE IT IS RUNNING! If the script fails, check the end of this post for uninstallation instructions and start over.

  11. Start the SSH service from within Cygwin:

    net start sshd

  12. Click Start, right-click on My Computer, and select Manage. In the Computer Management console, expand the Local Users and Groups category, right-click on the Users folder, and select New User....

    Set the User name to svn.
    Uncheck the User must change password at next logon option.
    Check the User cannot change password option.
    Check the Password never expires option.

    Click Create, then Close.

    Right-click the new svn user, and select Set Password.... Dismiss the security warning and set the password to something secure (such as your Administrator password).

  13. In the management console, select the Groups folder. Double-click on Administrators, then Add... the new svn user to the Administrators group. Click OK and close the management console.
  14. Log off from your WHS using Start -> Log Off, and log back in as the svn user.
  15. Start Cygwin from the desktop shortcut. It will complain about the current group being mkpasswd, fix this as the message says:

    mkpasswd -l > /etc/passwd
    mkgroup -l > /etc/group

    This syncs up the users database between Cygwin and Windows.

  16. Close Cygwin, and start it up again. You should now see the skeleton files being copied for the new svn user.
  17. Start the ssh-user-config script. Say no to the SSH1 RSA identity question. Say yes to the SSH2 RSA identity question. Leave the passphrase empty. Answer yes when asked if you want to use this identity to login to the machine. Say no to the SSH2 DSA identity question.
  18. Using your favorite Cygwin editor, append the public keys of the accounts you want to access SVN to ~/.ssh/authorized_keys (one line per key):

    ssh-rsa AAA...== joeuser@blah.com

    When you want to add more accounts for SVN later, just add their public key to that file.

  19. Click Start, go to Control Panel, select Windows Firewall, and go to the Exceptions tab.

    Click Add Port..., set the Name to ssh and the Port number to 22. Leave the TCP bullet selected. OK your way out of the firewall.

  20. We will now test the SSH connection. On your local machine, start Cygwin and SSH into your Windows Home Server:

    $ ssh svn@yourservername

    It should ask you to confirm the identity of the server. Answer ‘yes’. You should not be asked for a password and your username should have changed to svn. This means SSH is working and you are now logged into the remote server using a secure connection. Leave the connection open, we will get back to it later.

    If instead ssh returns with a Connection timed out message, there is a problem with the SSH service on the Home Server. Likely culprits include incorrect firewall settings (easily diagnosed by disabling the firewall) or incorrect SSH configuration (harder without getting into specifics).

    If you are asked for svn‘s password, double-check that your public key from your local system has been added to the ~/.ssh/authorized_keys file of the svn user on the remote system. It needs to be all on one line, one line per key. If you use nano to edit the file, don’t forget to use the -w option to disable word wrap.

    It’s important to get this step right (SSH login without password) otherwise the secure Subversion server won’t work, as this setup relies on matching SSH keys to identify users.

  21. Now that SSH is working, time to setup a storage area. Start the WHS console, go to the Shared Folders tab and create a new svn share. Set permissions to None for all users as we don’t want anyone poking around in that folder. I probably don’t need to remind you to enable folder duplication! 🙂
  22. Back to your local system, go to the (previously opened) SSH connection. You should still be remotely logged in to the svn account. We will set up the repository directory inside the new shared folder:

    $ mkdir //yourservername/svn/repos
    $ ln -s //yourservername/svn/repos /home/svn/repos

  23. Create the SVN repository:

    $ svnadmin create /home/svn/repos

    If you are transferring an existing repository, you can now load it into your WHS (look at the svnadmin dump command for help on transferring your existing repository). If you want to start fresh, you can ignore this command.

    $ svnadmin load /home/svn/repos < existingrepos.dump

  24. Test that the SVN repository is accessible from the WHS itself:

    $ svn log file:///home/svn/repos

    If there are no errors, it confirms that the svn user can access the repository and that Subversion is set up correctly on your Home Server. If you transferred an existing repository, the changelog for the entire repository will be displayed (proving that the migration worked).

  25. At this point, we know SSH works, and SVN works. Time to connect the pieces together.

    Still using the SSH connection as the svn user, edit the ~/.ssh/authorized_keys file. Each line should look like this:

    ssh-rsa AAA[...]== joeuser@blah.com

    Prefix the ssh-rsa part as follows:

    command="svnserve -r /home/svn -t --tunnel-user=joeuser",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAA[...]== joeuser@blah.com
  26. Naturally, change joeuser to the corresponding user name. Don't put spaces after the commas. Make sure everything is still on one line!

  27. Still in Cygwin, exit from the svn remote connection to get back to the local system. Issue the following to test that the SVN server works through SSH:

    $ ssh svn@yourservername

    You should see the following response:

    ( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline svndiff1 absent-entries ) ) )

    Ctrl-C out of that SSH connection, we got what we came for.

    If you don't see this, double-check your modifications to the ~/.ssh/authorized_keys file. Remember: no spaces after the commas, all on one line, one line per key.

  28. Now we check that SVN+SSH is working as intended. Issue the following from your local Cygwin account:

    $ svn log svn+ssh://yourservername/repos

    You should see the same output you had before when you tried it directly on the WHS (either no error or a complete changelog of your repository).

  29. We are close to the end. All that is needed is to set up your Windows development machine to use SSH for Subversion. Close Cygwin and your remote desktop connection to your WHS.

    If you haven't already, install the Windows version of Subversion and PuTTY on your machine. It doesn't matter which Subversion binary you use (Apache 2.0 or Apache 2.2) because we don't use Apache for authentication, so you don't even need the .so files.

  30. Make sure Pageant is running. This is the key server for PuTTY. Start it manually if you need to. You probably want to add it to your startup items so it's always running.
  31. Convert your Cygwin SSH key into .ppk format by running puttygen and importing the existing C:\Cygwin\home\yourusername\.ssh\id_rsa file (you may have to edit the key header to convince Puttygen that the key is valid). Set the Comment field to your email address and save the imported key in your Windows home directory (or some other safe place). DO NOT SHARE THIS FILE.
  32. Right-click the Pageant tray icon and select Add Key. Select the .ppk file you just saved and click Open.

    You can double-click the Pageant icon to validate that your key is loaded.

  33. Validate that your Windows SSH client is working. For PuTTY, type the following inside a command prompt:

    c:\progra~1\putty\plink -ssh svn@yourservername

    You will be asked to validate the identity of the server (say yes). This will add the server's key to the cache and allow passwordless entry. You should see a reply from the server similar to what we had before:

    Using username "svn".
    Server refused to allocate pty
    ( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline svndiff1 absent-entries ) ) )

    Again, if you are asked for a password, there is something wrong with your key. Double-check that the key added to puttygen is correct.

    Ctrl-C out of the SSH connection.

  34. If you've never used Subversion before on your system, type the following from a Command Prompt in order to have Subversion create its configuration files:

    C:\> svn log svn+ssh://svn@yourservername/repos

    The command won't work ("Can't create tunnel") but that's normal, we'll fix that in the next step. The goal is to make sure the Subversion configuration file is created.

  35. Edit the Subversion configuration file:

    C:\> notepad %appdata%\Subversion\config

    ...and locate the [tunnels] section. Add the following entry to it:

    svn = c:/progra~1/putty/plink.exe -ssh

    Note that these are forward slashes inside a Windows path, this is required!

  36. Now we can issue the previous Subversion command again:

    C:\> svn log svn+ssh://svn@yourservername/repos

    Again, you should see no error, or a changelog of the entire repository.

You are done! (phew!)

Finishing touches include setting up TortoiseSVN, and adding SVN integration into your Visual Studio environment (assuming that's what you use). This is mostly a matter of personal preference, so I don't include this in the (already quite numerous) setup steps.

There you go, a secure Subversion server is now available on your Windows Home Server. The connection is encrypted, so your source code is safe even over a public network connection, and available to you wherever you may be. You may need to forward port 22 from your router to your WHS to access your SVN server from the outside.

The next step is to set up an internet mirror for your SVN server, to protect against the unlikely failure of your WHS, but most people won't need this. If you are interested, more details are available here. I haven't done this yet so I can't say how it interacts with WHS.

If you want to uninstall the SSH server (for whatever reason) without restoring your entire WHS, here's how:

  1. Log in to your WHS with Remote Desktop with the Administrator account.
  2. From a command prompt:
    C:\> net stop sshd
    C:\> sc delete sshd
  3. Reboot the WHS.
  4. Log back in to your WHS with Remote Desktop with the Administrator account.
  5. Delete C:\Cygwin.
  6. From a command prompt:
    C:\> net user sshd /delete
    C:\> net user sshd_server /delete
    C:\> net user svn /delete
  7. Delete C:\Documents and Settings\sshd_server.
  8. Delete C:\Documents and Settings\svn.
  9. Delete any line that makes a reference to sshd in C:\Windows\System32\drivers\etc\services.
  10. Start regedit, search for sshd and delete all references you find.

If someone can streamline this into an easy-to-install Add-in for WHS, please share! I think this is above and beyond what can be done with WiX, especially since there is no command-line package manager for Cygwin (so we can't automate the install). For now I don't mind doing all of it manually, but it's going to be a bother if I ever need to reset the server.

To be continued I guess...

References:

12 Responses to “Windows Home Server + SSH + Subversion = Joy”


  • Hi there,

    I would like to thank you for this awesome posting. It was easy to follow and everything worked as expected! Thanks again! Also, I saw you’re interested in Game Development? I’d Like to hear from you!

    Best regards,
    Chris.

  • Hello Chris,

    Glad you enjoyed the post. I’ll try to write more 😉

    I’m definitely interested in games development, and in fact have been working as a game developer for a major publisher for a couple of years now. I still write my own stuff at home though, thus the need for an SVN server. WHS is just too awesome to pass up and combining it with SVN seemed so natural, even though setting it up turned out to be more complex than I thought.

    I’ve since learned that there are ways to install Cygwin silently from the command-line, it may yet be possible to package this into a nice WHS add-in after all. So many cool projects, so little time!

    Cheers,
    Ben.

  • Salut Benoit,

    Long time no see,

    Now I know what I was doing wrong !!! more than that, it works.

    Point 20 . there was it. pay attention to the key thing.

    I needed this for the job, and not for home opposite of you .

    I `m building a GUTO, (Grand Unifier ¦ Total Organizer) has a hobby to package all of what can be useful for a coder on the road.

    Maybe we can share and have a Linux and WHS solution.
    Next step, Bugzilla under cygwin.

    We need to talk anyway,
    Send me a mail ,

    Le Fern

  • “svn = c:/progra~1/putty/plink.exe -ssh”
    should be
    “ssh = c:/progra~1/putty/plink.exe -ssh”

  • I just tested setting up a svn server according to these notes on a Windows 7 Professional OS with 64-bits Cygwin installed. Except for problems with the svnserve command and -r option, resulting in me substituting the svnserver with an invocation of it using bash:

    bash -c’svnserve …

    and using other web pages for setting up the sshd daemon,
    this has worked well for me up to testing the access via
    svn ls and svn co from Debian itself.

    Thanks for a good tutorial

    Mikael Höghede

  • Typo above, I am testing from cygwin itself of course…

  • I just realized that the problem above is due to my setup of the user for cygwin sshd, this account lacks a home directory for Windows (and cygwin can not be run), so the problem seems to lie with the cygwin sshd setup (non-standard in my case).

    Once again thanks for a good, useful web page about this.

  • Hey Mikael,

    Glad this post helped, when I wrote it there wasn’t much info on how to do this, I’m just happy I took notes while I did it 🙂

    My WHS setup has since died (vintage HP MediaSmart Server!), I am still debating what to replace it with now that Microsoft has discontinued the OS. I hardly code anything at home nowadays so I don’t miss SVN! If I were to do this again I would use the free version of Perforce.

    Cheers,
    Ben.

  • Perforce seems like a nice option, free for 20 users although commercial, as long as the firm keeps up to that.

    Onto the old subject (I used to do OSes, so perhaps I
    should feel my responsibility and dig into the root cause for the problem altogether):

    A little remark, it seems that for a somewhat older version of cygwin64 (1.7.17) you need to change the bash shell invocation in the string in authorized_keys so that you would have a line

    command=”bash -l -c svnserve -r /home/svn -t –tunnel-user=joeuser”,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAA[…]== joeuser@blah.com

    Best regards

    Mikael

  • Correcting myself again, proper syntax should be:

    command=”bash -l -c ‘svnserve -r /home/svn -t –tunnel-user=joeuser,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty”’ ssh-rsa AAA[…]== joeuser@blah.com

    Best regards

    Mikael

  • Typos rule, repeating this again:

    command=”bash -l -c ‘svnserve -r /home/svn -t –tunnel-user=joeuser,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty’” ssh-rsa AAA[…]== joeuser@blah.com

    Best regards

    Mikael

  • I have now switched to using relevant parts of this instruction for sshd:

    http://docs.oracle.com/cd/E24628_01/install.121/e22624/preinstall_req_cygwin_ssh.htm

    (adding that user svn should be administrator)
    and your post , it seems that the problem above vanishes,
    and one could use the original line in autorization_keys proposed in your post.

    Best regards

    Mikael

Leave a Reply