On Sat, Aug 10, 2013 at 07:45:16PM -0600, Andy Bradford wrote: > Thus said Richard Hipp on Sat, 10 Aug 2013 20:45:31 -0400: > > > (1) Put all of the Fossil repositories you want to share in a single > > directory, say "/home/fossil/repos". Make sure all repository files > > are named using the *.fossil pattern. (Technically, you can scatter > > the repositories out in a directory hierarchy, but let's keep things > > simple for now.) > > > > (2) Run "fossil server -port 8888 /home/fossil/repos" > > Instead, do steps 1 and 2. At this point, the user should do: > > ssh -L 4444:127.0.0.1:8888 freebsdhost > > And then they can clone from there: > > fossil clone http://user@127.0.0.1:4444/project > > This will encrypt the connection from their PC to freebsdhost. It will > not have encrypted communication on port 8888, but the traffic is all on > localhost. > > > With the SSH changes I've been working it steps 1 and 2 are not required > and they can clone this way instead: > > fossil clone -l username ssh://fossil@freebsdhost/repos/project.fossil > project.fossil
Everything was working great until I tried to use the following in the authorized_keys file for the user account hosting the Fossil repos: command="/usr/local/bin/fossil",no-X11-forwarding,no-agent-forwarding ssh-rsa <key> <user>@<client-host> . . . because, of course, "ssh -L" is then prevented from working. Is there a fairly simple way to prevent people from doing anything unrelated to what a dev team member should be able to do that still allows me to use this approach to granting encrypted Fossil access? -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users