Re: [fossil-users] Using ssh forced command
On Wed, 13 Feb 2013 00:30:40 +0100, Rene renew...@xs4all.nl wrote: I have a repository on a machine say sunny. - I have a login account on sunny and my login is renez - I have two persons, Joe and Deb, who want to use a repo of mine. - We all work in a big network where only port 22, 80 and 443 are open. - I don't have a web server running on sunny. - Or a web server is running on on sunny but I'm not allowed to use it. My problem is I only want Joe and Deb to access the repo. [...] I had this problem once and solved it by adding Joe and Deb to a new group and then enabling rw-rights on the repository for the group. That meant that they could use their own credentials to access the repository. I suppose Joe and Deb have user access at sunny? I don't know if you could use that special ssh feature. It depends on how fossil uses the ssh connection, i guess. I am curious, as well, if it could be done. -- Sverre ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Using ssh forced command
I have a repository on a machine say sunny. - I have a login account on sunny and my login is renez - I have two persons, Joe and Deb, who want to use a repo of mine. - We all work in a big network where only port 22, 80 and 443 are open. - I don't have a web server running on sunny. - Or a web server is running on on sunny but I'm not allowed to use it. My problem is I only want Joe and Deb to access the repo. if they give me there public key then they are allowed to log on to my account. Not what I want. There is a ssh feature called forced command. I generate two key pairs one for Deb and one for Joe with out a paraphrase and hand the private keys to them. I prefix the public key in .ssh/authorized_keys with a command string like command=path/to/fossil http ssh-rsa KEY comment Apparently no other command will be executed. (off course if you have shell escape in the forced command then still everything can go wrong) Here is the fantasy part: They connect with the url ssh://renez@sunny/work/develop.fossil. But we know that it is Joe or Deb knocking on the door to get access to the repo, because of the key used to identify them. I could make the forced command in Joe's public key line: command=path/to/fossil http --ssh-user Joe ssh-rsa KEY comment and fossil could check if it is running under forced command because the environment variable $SSH_ORIGINAL_COMMAND is set with the command given. This commit or whatever should be registered under Joe's credentials or refused if his credentials are to low. note: It is probably better to make the force command a wrapper script that checks if the send command is indeed fossil being requested. If not then exit. -- Rene ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
