Re: need a restricted shell
I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the setup_chroot.sh script which is inside the work/scponly-port_version directory. Use the script to create a chroot directory. Then populate this new chroot directory with the files required by the commands and libraries which you want to give to your users (such as Subversion). Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and the chroot directory for the user(s) which you want to limit only to your Subversion commands. Assign a password to those users then test if you can connect and use the Subversion commands. Basically, this is Hack number 63 on page 269 in the book BSD Hacks, 100 Industrial-Strength Tips Tools by Dru Lavigne published by O'Reilly. (ISBN: 0-596-00679-9). Also, to further restrict access to your machine, configure sshd(8) to allow only a limited subset of users. See AllowUsers and AllowGroups in sshd_config(5) for this. Finally, if you happen to know the origin of the connections, then configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections. See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info on how to set this up. Alright, if you have any questions, please be my guest and send them up to me. Cheers! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need a restricted shell
On Wed, Sep 06, 2006 at 02:55:25PM -0600, Chad Leigh -- Shire.Net LLC wrote: I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? I have been looking at various shell lists in ports but nothing popped out as obvious to me I have done this in the following way: Create a dedicated user, for example, svn. This user will own the repository. If you intend to allow normal users to access the repository from accounts on the server box, you'll need an svn group, as well. From your question, though, I get the impression this isn't what you intend, so I'll ignore that possibility. For each user, copy their public key to the svn user's .ssh/authorized_keys file, prepending each one with: command=/usr/local/bin/svnserve -t --tunnel-user=username -r /path/to/your/repository/root,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty Obviously, you'll need to put the appropriate user's name in place of username, above. It is used by the server to record who does what, so that there is no real need for each of your developers to have an account on the server. By specifying the command to be run with each key, you tell sshd not to allow any other type of activity, so there is no real need for a restricted shell. However, other suggestions about limiting which IP's can connect and which users (in this case, make sure svn is included in the list of username!), are valid. Each client will need to set up a new scheme for connecting to the svn account at the server box. Something like this in each developer's ~/.subversion/config should do the trick: [tunnels] mysvn = $MYSVN_SSH ssh -l svn If set, $MYSVN_SSH will be evaluated instead of running the ssh command. See the documentation for how this might be useful (I can't remember...) Now, in order to connect, your clients will need to specify the path to the repository like this: svn+mysvn://host.name/path/to/project If you have any clients who use TortoiseSVN, they will need to specify the scheme differently: svn+ssh://[EMAIL PROTECTED]/path/to/project (Unless, of course, you can find some way for them to also use custom tunnels). It takes a little work to set up, but when it is running, it works well. Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpUbVqw4sELi.pgp Description: PGP signature
Re: need a restricted shell
On Sep 7, 2006, at 7:35 AM, David Robillard wrote: I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the setup_chroot.sh script which is inside the work/scponly-port_version directory. Thanks to David and all who responded. I will give this a shot. Thanks Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
need a restricted shell
I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? I have been looking at various shell lists in ports but nothing popped out as obvious to me Thanks Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need a restricted shell
On 6 September 2006, at 15:55, Chad Leigh -- Shire.Net LLC wrote: I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? I don't know about FBSD, but check if rssh is in the ports (I can't atm): [EMAIL PROTECTED] ~]$ pacman -Ss scp current/rssh 2.3.2-1 A restricted shell for use with OpenSSH, allowing only scp and/ or sftp I bet this would do what you're saying. I have been looking at various shell lists in ports but nothing popped out as obvious to me Thanks Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]