I'm sure there are plenty of folks on this list and elsewhere that will give
you more comprehensive advice than I, but for starters make sure the user is
*not* in the "users" group. Restricted accounts are typically put in a
group called "nobody", "nogroup" or better yet in a group of their own with
the same name. Most inetd services are set up this way so that if they
become compromised, the attacker will have only limited rights on the
system. If you configure your svnuser similarly to the way the apache user
is configured, you should be doing OK.
From there you'll probably need to tinker with it to get the ssh session to
work. For instance I *think* it will probably need a home directory for the
shell to start in. You could try making it's home dir /dev/null - saving
files will be blazing fast - but I don't know if that will work.
Unfortunately my Linux box got "re-assigned" so I'm not able to try any of
this out.
Best of luck.
----- Original Message -----
From: "Andy Helten" <andy.helten@dot21rts.com>
To: "Ed MacDonald" <edmacdonald@hotmail.com>
Cc: <users@subversion.tigris.org>
Sent: Thursday, July 29, 2004 6:21 PM
Subject: Re: Error checking out large repository -- illegal padding
>
>
> Ed MacDonald wrote:
>
> >If encryption is the only thing holding you back from using svnserve and
the
> >svn:// protocol, and you are worried about security setting up a bunch of
> >system accounts, you could try this.
> >
> >1. Create 1 system account. Lock it down so that it has can open an ssh
> >shell, but nothing else.
> >2. Give the account info to your users and have them set up an ssh tunnel
> >for the svnserv port:
> > ssh -L 3690:host.example.com:3690
> >3. Set up svnserve users db as normal.
> >4. Pretend svnserve is local and proceed as normal:
> > svn co svn://localhost/myrepo
> >
> >SSH will encrypt the traffic to the server for you, and you'll be using
> >svnserve for auth/auth.
> >
> >
> >
>
> Thanks! I will give this a try. The only step I may have a problem
> with is locking down a user account so that it can only access ssh. Is
> this documented somewhere for Linux?
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 30 04:16:28 2004