Mads B. Tandrup wrote:
> Duncan Booth wrote:
>> The hook would be running as the apache user on the subversion
>> server, so the 'svn up' needs to be kicked off as a different user. I
>> would rather not trust the apache user from the svn server further
>> than necessary, so I would like some solution which allows a specific
>> command to be run but not others: maybe ssh+sudo, or should that be
> Have a look at the OpenSSH sshd documentation. Under "AUTHORIZED_KEYS
> FILE FORMAT" you'll find the following option:
> Specifies that the command is executed whenever this key is used
> for authentication. The command supplied by the user (if any) is
> ignored. The command is run on a pty if the client requests a
> pty; otherwise it is run without a tty. If an 8-bit clean chan-
> nel is required, one must not request a pty or should specify no-
> pty. A quote may be included in the command by quoting it with a
> backslash. This option might be useful to restrict certain pub-
> lic keys to perform just a specific operation. An example might
> be a key that permits remote backups but nothing else. Note that
> the client may specify TCP and/or X11 forwarding unless they are
> explicitly prohibited. Note that this option applies to shell,
> command or subsystem execution.
> So you will be able to generate an SSH key for your Apache server
> which only supports doing an "svn up /foo/bar".
Ok, I think I now have this working. The post-commit hook script uses the
following ssh command:
/usr/bin/ssh -x -n -o BatchMode=yes -i <path to id file> <user>@<remote
host> post-commit $REPOS $REV
(with obvious substitutions for bits in angle brackets). For some reason I
don't quite understand, until I added the BatchMode option the commit kept
hanging even though it shouldn't be prompting for a password.
On the remote system, /home/<user>/.ssh/authorized_keys looks like:
forwarding ssh-dss ...
and the hook script itself can get at the arguments (if it should need
them) in $SSH_ORIGINAL_COMMAND
That seems to meet my wishes quite nicely: the explicit id file means I can
link different repositories to different hook scripts on the remote machine
and tie each one down to a specific command.
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Fri May 5 11:45:02 2006