Am 26.07.2010 13:27, schrieb Nico Kadel-Garcia:
> The svnuser has its password locked and unusable, and it's shell set
> to /sbin/nologin. The SSH clients have their public SSH keys set,
> ideally public keys used for this alone though that's hard to enforce,
> and the keys are used for the svnuser's "authorized_keys" file to run
> the svnserve command with the "--user" option. This is the typical
> syntax, from the Subversion book, with "TYPE1 KEY1" being copied from
> the SSH key for "harry".
>
> command="svnserve -t
> --tunnel-user=harry",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> TYPE1 KEY1 harry_at_example.com
Ok. thanks for pointing me to the manual. so let me summarize:
1. One ssh-account is needed.
2. via public keys i can identify different users. one keypair is needed
for each user and the public key has to be in the authorized_key file of
the ssh-account
3. i can disable all different task models via authorized_key file but
let the ssh user as it is (for svn unrelated jobs)
4. fine-granulared access-restriction is possible via authz-db
So, this is still a bunch of work, but seems doable
thanks so far
ciao
Ulf
Received on 2010-07-26 16:47:11 CEST