Thus said Chad Perrin on Sat, 10 Aug 2013 18:07:28 -0600: > What's the quick/easy way to get Fossil set up so a small team can > push/pull/sync multiple Fossil repositories on the server without > having shell accounts?
At the moment, this type of SSH integration isn't as flexible as it could be because Fossil depends on the shell behaving in certain ways. I've been working on making it easier to use fossil in an SSH environment, and have had a few iterations. I would appreciate your feedback regarding how my changes currently work. You can pull the latest iteration from here, which you'll have to build from sources: http://www.fossil-scm.org/index.html/info/0c19424325 The simples setup is to create separate account per project and use SSH keys with Fossil username/passwords. You could have the following in the ~project/.ssh/authorized_keys: command="bin/fossil http fossils/project.fossil" ssh-rsa ... This is probably the simplest to implement and requires no additional scripts to facilitate use, but it does mean that you'll need a different SSH account for each project (or different SSH keys per user per project). It also means that there is no shell in use (per your requirement). Alternatively, Setup a single account on the SSH server (perhaps called fossil) which houses all the repositories for the team. Then you can use SSH keys to authenticate the users to the fossil account (~fossil/.ssh/authorized_keys) and use a Force Command to guarantee that their SSH key can run fossil (this meets your no shells requirement). $ cat ~fossil/.ssh/authorized_keys command="bin/fossil.sh" ssh-rsa ... Here's an example of what ~fossil/bin/fossil.sh could look like: #!/bin/sh set -- $SSH_ORIGINAL_COMMAND while [ $# -gt 1 ]; do shift; done exec bin/fossil http "$1" Basically, it gets the name of the requested fossil from the SSH_ORIGINAL_COMMAND and then calls the *real* fossil http command on it. Each user will need their own Fossil account in the repositories housed in the account, but only one SSH account is used. Alternatively if you wanted the SSH key to authorize the user to the fossil repository (e.g. no Fossil password required), you can use a similar script as above: #!/bin/sh REMOTE_USER="$1" set -- $SSH_ORIGINAL_COMMAND while [ $# -gt 1 ]; do shift; done export REMOTE_USER exec bin/fossil http "$1" Then setup each user's SSH key as: command="bin/fossil.sh <username>" ssh-rsa ... This will allow the user to authenticate to Fossil without requiring you to issue them a Fossil password. This only works if the ``Allow REMOTE_USER authentication'' option is enabled under Admin->Access. This will currently prompt for a Fossil username password, but it would be nice, perhaps if it didn't. This would then make it easier to use in the case where you are only using SSH keys to authenticate the user to both the SSH account and the Fossil account. At the moment, the only way to accomplish this is to put something like the following in each user's ~/.ssh/config: Host remote User fossil Then use a fossil clone command like: fossil clone ssh://remote/fossils/project.fossil project.fossil Hope this gives you some ideas as to how to accomplish what you're trying to do. At the moment, this is experimental code and a work in progress that has not yet been merged to trunk so you'll have to compile on your own. If you run into any issues, let me know. One thing I think I would like to try to resolve is somehow not prompting for the password at all in the case where the username is specified in the URL and SSH keys are in use so ~/.ssh/config is not required. One thing to keep in mind, if you aren't using SSH keys, the default behavior is for fossil to run ``fossil test-http /path/to/fossil'' as the remote SSH command which will basically leave you with the same behavior that you have currently experienced with released versions of fossil. Andy -- TAI64 timestamp: 400000005206e6ec _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
