svn+ssh access with --tunnel-user

Malte Helmert helmert at
Tue Jul 1 10:58:43 CDT 2008

Hi everyone,

the repositories I manage are accessed via svn+ssh with the
--tunnel-user option as described in the "Tunneling over SSH" section of
the book. There is one system-level user account per repository, which
will have an ~/.ssh/authorized_keys file like this (minus the extra line

command="/usr/bin/svnserve -t --tunnel-user=Malte\ Helmert
  -r /home/repos/whatever/repository",
  ssh-dss KEY... malte at wherever
command="/usr/bin/svnserve -t --tunnel-user=Someone\ Else
  -r /home/repos/whatever/repository",
  ssh-dss KEY... someone at wherever
command="/usr/bin/svnserve -t --tunnel-user=Yet\ Another\ Guy
  -r /home/repos/whatever/repository",
  ssh-dss KEY... yag at wherever

Noone else has ssh access to the account and there is no httpd or
svnserve daemon running, so only these three people can access the

In some repositories, I also use path-based authentication to keep some
people out of certain parts of the repository. The funny thing is that
under certain circumstances [1], people with full access rights in the
"authz" file can't access the repository at all *unless I set
anon-access to none* in the svnserve.conf file. Their checkout will fail
with "Not authorized to open root of edit operation". However, if I
change anon-access from its default "read" to "none", everything works

The unintuitive thing here is that tightening permissions (from "read"
to "none") leads to more access rights. I also don't understand why
*anonymous* access matters here; shouldn't the --tunnel-user take care
of that?

Apparently this is a Subversion bug [2], but since this issue has been
existing since at least 2006 (according to the comments in the issue
tracker), maybe it's worth pointing out the workaround (setting
anon-access=none) in the "Tunneling over SSH" section of the book, where
this problem is very likely to occur.


[1] Looks like it depends on the SVN client. The command-line client
works, as do older versions of TortoiseSVN, but the current version of
TortoiseSVN causes problems.

[2] looks
closely related, although it doesn't mention --tunnel-user.

More information about the svnbook-dev mailing list