Add ssh banner to svn.kde.org to explain situation with keys
Closed, ResolvedPublic

Description

After we migrate the SVN server, in order to commit to SVN, users will need to be in the user list and have their SSH keys in GitLab.

I found there is an easy way to warn users about this. We can show text to users logging in as svn (and not as other users, such as git) by adding this at the end of sshd_config:

Match User svn
    Banner /root/svn-banner.txt

Proposed text:

Starting next week, all SVN users will need to login to KDE's GitLab and add
their SSH keys there: https://invent.kde.org/profile/keys

In addition, only users in the following list will be able to connect to SVN:
https://cgit.kde.org/repo-management.git/tree/svn-ssh-keys/users-list

If you're not in this list and you need SVN access, please open a sysadmin
ticket at https://go.kde.org/systickets, or email sysadmin@kde.org.

I considered linking to the announcement email too, but the text already feels link-heavy...

If you have any comments or objections on this idea, or the text of the banner, please reply. Otherwise I'll action this ~tomorrow.

It would be also ideal if we could also check whether the user who logged in (based on the key) is in the user list, and warn about that only if they aren't. But is probably more trouble than it's worth.

nalvarez created this task.Apr 14 2020, 6:54 PM
Restricted Application added a subscriber: sysadmin. · View Herald TranscriptApr 14 2020, 6:54 PM
bshah awarded a token.Apr 16 2020, 2:05 AM

I realized the SSH host keys will change too, and warning about that too in the banner would become too much. We also need something to link to devs after the server is migrated and they are "locked out" for any of these reasons.

So I made a wiki page: https://community.kde.org/Infrastructure/Subversion/2020_Changes
Now the banner can be shorter and just link to the wiki page, which in turn can be more detailed.

New proposed ssh banner:

The SVN repository will move to a new server soon. As part of that, we will
limit access only to people who need it, and use GitLab to manage the SSH keys.
To continue committing to SVN, you will need to add your SSH keys to KDE's GitLab,
and make sure your username is allowed.

See this page for more information:
https://community.kde.org/Infrastructure/Subversion/2020_Changes

Feel free to nitpick banner and wiki text.

nalvarez closed this task as Resolved.Apr 16 2020, 5:18 AM

Welp. Turns out this doesn't work. svn calls ssh with -q which hides the banner.

If authentication fails, svn gives this error:

svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn@svn.kde.org/home/kde'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

If the user follows those instructions and removes the -q option from configuration, only then they will see the message; but by default it's not shown.

Oh well, I tried. Better than nothing.