On Sat, Aug 10, 2013 at 07:45:16PM -0600, Andy Bradford wrote:
> Thus said Richard Hipp on Sat, 10 Aug 2013 20:45:31 -0400:
>
> > (1) Put all of the Fossil repositories you want to share in a single
> > directory, say "/home/fossil/repos". Make sure all repository files
> > are named using the *.fossil pattern. (Technically, you can scatter
> > the repositories out in a directory hierarchy, but let's keep things
> > simple for now.)
> >
> > (2) Run "fossil server -port 8888 /home/fossil/repos"
>
> Instead, do steps 1 and 2. At this point, the user should do:
>
> ssh -L 4444:127.0.0.1:8888 freebsdhost
>
> And then they can clone from there:
>
> fossil clone http://user@127.0.0.1:4444/project
>
> This will encrypt the connection from their PC to freebsdhost. It will
> not have encrypted communication on port 8888, but the traffic is all on
> localhost.
>
>
> With the SSH changes I've been working it steps 1 and 2 are not required
> and they can clone this way instead:
>
> fossil clone -l username ssh://fossil@freebsdhost/repos/project.fossil
> project.fossil
Everything was working great until I tried to use the following in the
authorized_keys file for the user account hosting the Fossil repos:
command="/usr/local/bin/fossil",no-X11-forwarding,no-agent-forwarding
ssh-rsa <key> <user>@<client-host>
. . . because, of course, "ssh -L" is then prevented from working. Is
there a fairly simple way to prevent people from doing anything
unrelated to what a dev team member should be able to do that still
allows me to use this approach to granting encrypted Fossil access?
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
