Date: Thu, 7 Sep 2006 16:55:12 +0100 From: Daniel Bye <freebsd-questions@slightlystrange.org> To: FreeBSD Users Questions <freebsd-questions@freebsd.org> Subject: Re: need a restricted shell Message-ID: <20060907155512.GA33555@catflap.slightlystrange.org> In-Reply-To: <0B52EB48-687D-4330-8B5A-54DBAEA305D5@shire.net> References: <0B52EB48-687D-4330-8B5A-54DBAEA305D5@shire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 06, 2006 at 02:55:25PM -0600, Chad Leigh -- Shire.Net LLC wrote: > I am looking for a shell that will allow Subversion to be run over =20 > ssh but not allow interactive login or if it allows interactive =20 > login, will only allow Subversion commands to be run... Any ideas on =20 > how to accomplish this? >=20 > I have been looking at various shell lists in ports but nothing =20 > popped out as obvious to me I have done this in the following way: Create a dedicated user, for example, svn. This user will own the repository. If you intend to allow "normal" users to access the repository from accounts on the server box, you'll need an svn group, as well. From your question, though, I get the impression this isn't what you intend, so I'll ignore that possibility. For each user, copy their public key to the svn user's =2Essh/authorized_keys file, prepending each one with: command=3D"/usr/local/bin/svnserve -t --tunnel-user=3Dusername -r /path/to/= your/repository/root",no-port-forwarding,no-agent-forwarding,no-X11-forward= ing,no-pty Obviously, you'll need to put the appropriate user's name in place of username, above. It is used by the server to record who does what, so that there is no real need for each of your developers to have an account on the server. By specifying the command to be run with each key, you tell sshd not to allow any other type of activity, so there is no real need for a restricted shell. However, other suggestions about limiting which IP's can connect and which users (in this case, make sure svn is included in the list of username!), are valid. Each client will need to set up a new scheme for connecting to the svn account at the server box. Something like this in each developer's ~/.subversion/config should do the trick: [tunnels] mysvn =3D $MYSVN_SSH ssh -l svn If set, $MYSVN_SSH will be evaluated instead of running the ssh command. See the documentation for how this might be useful (I can't remember...) Now, in order to connect, your clients will need to specify the path to the repository like this: svn+mysvn://host.name/path/to/project If you have any clients who use TortoiseSVN, they will need to specify the scheme differently: svn+ssh://svn@host.name/path/to/project (Unless, of course, you can find some way for them to also use custom tunnels). It takes a little work to set up, but when it is running, it works well. Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFAEDfixf5fBYiFmoRAo2tAJ9kpl+izDgQe0IdUgSzHBH7lniv0QCgng1d iKFmB87G9w5T3lM+1lds4PU= =noQg -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060907155512.GA33555>