Thus said Chad Perrin on Tue, 13 Aug 2013 18:39:21 -0600: > Everything was working great until I tried to use the following in the > authorized_keys file for the user account hosting the Fossil repos: > > command="/usr/local/bin/fossil",no-X11-forwarding,no-agent-forwarding > ssh-rsa <key> <user>@<client-host>
This won't really work at all with the current release of fossil (version 1.26) because fossil's client side expects to be able to talk to a shell, not to a fossil program. > . . . because, of course, "ssh -L" is then prevented from working. That shouldn't have prevented port forwarding. no-port-forwarding is what prevents that and I don't see that listed. More than likely what happened is that the SSH connection brought up fossil, but it gave you a usage statement. > Is there a fairly simple way to prevent people from doing anything > unrelated to what a dev team member should be able to do that still > allows me to use this approach to granting encrypted Fossil access? Well, if you are doing the port forwarding approach, yes, there is. Make the command something like sleep: command="/bin/sleep 28800" ssh-rsa ... Then all they can do is tunnel to your fossil server listening on port 8888 (and anywhere else for that matter. Obviously when sleep exits, they will have to restablish a connection. You might also want to enable ClientAliveCountMax and ClientAliveInterval to detect clients that have disappeared. Port tunnelling certainly will not be as convenient as simply doing: fossil clone ssh://fossil@freebsdhost//project project.fossil But it should be feasible and quick to setup (again subject to training your users that they must clone/sync with localhost via HTTP *after* they have established the SSH tunnel). By the way, the fossil server need not live on the freebsdhost. You could place it on an internal server (192.168.3.5 for example) and then setup the tunnel like: ssh -L 8080:192.168.3.5:8080 sshuser@freebsdhost Then they clone: fossil clone http://fossiluser@127.0.0.1:8080/project project.fossil Hope this helps. Andy -- TAI64 timestamp: 40000000520ad75f _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
