On Mon, Jul 26, 2010 at 10:46 AM, Ulf Seltmann <seltmann_at_digitalzone.de> wrote:
> Am 26.07.2010 13:27, schrieb Nico Kadel-Garcia:
>>
>> The svnuser has its password locked and unusable, and it's shell set
>> to /sbin/nologin. The SSH clients have their public SSH keys set,
>> ideally public keys used for this alone though that's hard to enforce,
>> and the keys are used for the svnuser's "authorized_keys" file to run
>> the svnserve command with the "--user" option. This is the typical
>> syntax, from the Subversion book, with "TYPE1 KEY1" being copied from
>> the SSH key for "harry".
>>
>> command="svnserve -t
>>
>> --tunnel-user=harry",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
>> TYPE1 KEY1 harry_at_example.com
>
> Ok. thanks for pointing me to the manual. so let me summarize:
>
> 1. One ssh-account is needed.
> 2. via public keys i can identify different users. one keypair is needed for
> each user and the public key has to be in the authorized_key file of the
> ssh-account
> 3. i can disable all different task models via authorized_key file but let
> the ssh user as it is (for svn unrelated jobs)
> 4. fine-granulared access-restriction is possible via authz-db
>
> So, this is still a bunch of work, but seems doable
>
> thanks so far
No problem. The manual could use some detail on this setup: I'm afraid
that many of the subversion "guidelines" are mere outlines, easily
mistaken by someone not skilled or experience in identifying enemy
warships on the horizon. The svn+ssh guideline is one of them,
particularly because it leaves the ideal configuration at the bottom
of the list and builds up to it, rather than giving the answer first
and breaking down why the components are in it. The result is new
readers or new users getting bogged down in the first few limited and
non-ideal examples.
You still don't need to leave svnssh with a shell. If you have sudo
access, you can use 'sudo -s -H -u svnssh' and log in as yourself or
as an admin and still gain shell access as the locked svnssh user.
Received on 2010-07-27 04:37:30 CEST