[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs ext (ssh), but no shell access.. (address@hidden)

From: Wim Bertels
Subject: Re: cvs ext (ssh), but no shell access.. (address@hidden)
Date: Fri, 26 Sep 2003 00:53:47 +0200

> There are three basic mechanisms you may use:
> a) $HOME/.ssh/authorized_keys may contain the following option:
>      command="command"
>              Specifies that the command is executed whenever this key is
>              for authentication.  The command supplied by the user (if
any) is
>              ignored.  The command is run on a pty if the client requests
>              pty; otherwise it is run without a tty.  If an 8-bit clean
>              nel is required, one must not request a pty or should specify
>              pty.  A quote may be included in the command by quoting it
with a
>              backslash.  This option might be useful to restrict certain
>              lic keys to perform just a specific operation.  An example
>              be a key that permits remote backups but nothing else.  Note
>              the client may specify TCP/IP and/or X11 forwarding unless
>              are explicitly prohibited.  Note that this option applies to
>              shell, command or subsystem execution.
>    where command could be set to be '/usr/bin/cvs' (or whatever).
>    This mecanism is probably the most common. A web server or similar
>    running on the cvs server box might let you submit an ssh public key
>    to be used and it would setup the user account with the appropriate
>    command= provided.


for now this what i did:

for example:
1. SSH
if u put
test: ... :/var/lib/cvs:usr/bin/cvs
in the /etc/passwd file
U cant connect using ssh to the cvs server (the cvs command alone is not
enough, dont ask me why,
but i suppose it also needs things like ls, mkdir, scp ..)
so the only way is to use a restricted shell instead of /usr/bin/cvs
but then again, the user has shell access (maybe use chroot or something)

so i'm not using this, but i'm using the following
2. pserver and stunnel
why? no shell, secure connection..
maybe it would be a good idea to have a config file like you have for
example for postgresql
(pg_hba.conf), where you can put who can connect in which way (including
ident, pam, md5, krb5..) to the server

Wim Bertels

reply via email to

[Prev in Thread] Current Thread [Next in Thread]