Thus said Matt Welland on Sun, 21 Jul 2013 12:33:18 -0700: > I think the ultimate usage I envision might be super-set of what Andy > is describing but I'm not sure. Would the proposed mechanism enable > the usage model I describe below?
What you described has additional ``features'' than what can be currently achieved with the ``fossil gate'' command I suggested. For example, the management of the keys, and associating an SSH key with specific Unix accounts is all oustide the scope of fossil at the moment. Also, I don't know if you are suggesting that an SSH key be somehow associated with a Fossil account---I don't think you are, but it's a little ambiguous. Finally, how would people manage the Fossil Prileges for a given fossil? Is there a command-line interface to managing Fossil Privileges and Capabilities? The ``fossil gate'' command I suggested can already use a single SSH account to serve multiple fossils to multiple users. Each fossil has it's own set of Privileges and Capabilities and it's own set of users. I have the following SSH key setup in a guest account: command="/home/guest/bin/fossil gate" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqKI393xubO69Rs+Y6fbnxDpAgX5kTe31qWepFyfu08wxNj5iX57vNIYFIcC7bwKW4EHMakuEIYr2eDzXl3e1pXLzteFESISaZkXrmspNIMRh4oW/3LqV+pGXfimA//YlmbJOMzEHerSCTi+QG0O6LNyvjlZgJmP8dJgc0ktzw6nAVcpdFxwoNa+tQJb+g7wLHGRCsl9uvf6rfdzXVUm/tAtD/TyPITU7Ni2q7aTm/m8YKsXDUif91UP9XUH8phwwEucQa3MagtIcmUKJzrkuwHT+rr2K/0W8vpjO3iq3g7ejONqaTfqEW2Rc5uydYsc1B5IjsmPm0bVkbB3B6ZBxF amb There are three fossil repositories in the guest account: remote$ ls fossils/*.fossil fossils/one.fossil fossils/three.fossil fossils/two.fossil In one.fossil, my user is Developer. In two.fossil just a Reader. In three.fossil, my user has no Fossil Privileges. Now, let's clone them into my account: local$ fossil clone -l amb ssh://guest@localhost/fossils/one.fossil one.fossil password for amb: remember password (Y/n)? y Round-trips: 1 Artifacts sent: 0 received: 0 ssh -e none -T guest@localhost fossil http fossils/one.fossil Round-trips: 2 Artifacts sent: 0 received: 1 ssh -e none -T guest@localhost fossil http fossils/one.fossil Round-trips: 2 Artifacts sent: 0 received: 4 Clone finished with 556 bytes sent, 1183 bytes received Rebuilding repository meta-data... 100.0% complete... project-id: f4e6229ef4d633a47de719d7bcea81704e746cc9 admin-user: amb (password is "34092e") local$ fossil clone -l amb ssh://guest@localhost/fossils/two.fossil two.fossil password for amb: remember password (Y/n)? y Round-trips: 1 Artifacts sent: 0 received: 0 ssh -e none -T guest@localhost fossil http fossils/two.fossil Round-trips: 2 Artifacts sent: 0 received: 1 ssh -e none -T guest@localhost fossil http fossils/two.fossil Round-trips: 2 Artifacts sent: 0 received: 4 Clone finished with 557 bytes sent, 1182 bytes received Rebuilding repository meta-data... 100.0% complete... project-id: 39cd721ed396a117b9b0690bd4a4a1054155b511 admin-user: amb (password is "b0526a") local$ fossil clone -l amb ssh://guest@localhost/fossils/three.fossil three.fossil password for amb: remember password (Y/n)? y Round-trips: 1 Artifacts sent: 0 received: 0 ssh -e none -T guest@localhost fossil http fossils/three.fossil Round-trips: 2 Artifacts sent: 0 received: 1 ssh -e none -T guest@localhost fossil http fossils/three.fossil Error: login failed missing or incorrect password for user "amb" Ok, so that won't work because I don't have Fossil Privileges setup on that one, so let's try anonymous: local$ fossil clone -l anonymous ssh://guest@localhost/fossils/three.fossil three.fossil password for anonymous: remember password (Y/n)? y Round-trips: 1 Artifacts sent: 0 received: 0 ssh -e none -T guest@localhost fossil http fossils/three.fossil Round-trips: 2 Artifacts sent: 0 received: 1 ssh -e none -T guest@localhost fossil http fossils/three.fossil Round-trips: 2 Artifacts sent: 0 received: 4 Clone finished with 569 bytes sent, 1183 bytes received Rebuilding repository meta-data... 100.0% complete... project-id: 3fc436b7ef6741a709f4d42087154ca4030727ac admin-user: amb (password is "580433") Can also do it as nobody: local$ fossil clone -l nobody ssh://guest@localhost/fossils/three.fossil three.fossil password for nobody: remember password (Y/n)? y Round-trips: 1 Artifacts sent: 0 received: 0 ssh -e none -T guest@localhost fossil http fossils/three.fossil Round-trips: 2 Artifacts sent: 0 received: 1 ssh -e none -T guest@localhost fossil http fossils/three.fossil Round-trips: 2 Artifacts sent: 0 received: 4 Clone finished with 563 bytes sent, 1183 bytes received Rebuilding repository meta-data... 100.0% complete... project-id: 3fc436b7ef6741a709f4d42087154ca4030727ac admin-user: amb (password is "ce26ce") (Maybe don't want to prompt for password here.) Notice that I'm able to access multiple fossil files with my SSH key and Fossil account. And, I can install as many SSH keys into the ``guest'' account as I like. > This is a many-to-many with access controlled by scripts/lookup tables > at the fossilscm account end. So, I can do many-to-many now, what's lacking perhaps is lookup tables. > Administration consists of: > > 1. Adding public key/user name combinations > 2. Added users to the access lists Here is where I'm confused. Does this mean that an SSH key identifies the user both to Unix and to Fossil? As for the access list, I assume you mean a mapping of which fossils a given SSH key can actually request? Thanks for your feedback.. Andy -- TAI64 timestamp: 4000000051ecbebf _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
