* Eric G. Miller (egm2@jps.net) spake thusly: > On Tue, 27 Nov 2001 10:14:21 -0600 > Dimitri Maziuk <[EMAIL PROTECTED]> wrote: > [snip] > > Yes, pswerver sends everything in the clear and all that. > > Edit /etc/shadow and set your cvsuser's password to NP > > (or whatever Debian uses to disable logins). Let your > > users download the *private* key of cvsuser. Set up cvsuser > > account so that ssh logins can only run cvs. > > Don't you mean the *public* key? In fact, don't you want > the server to have the public key of the user, and then that > user has to use their private key and their passphrase to > authenticate themselves to the CVS server via ssh? I'm on > the user end of such a setup, and I don't have any key for > the server but it does have my public key. Use ssh-agent > to manage authentication/passphrase...
I meant what I said: private key. If you want joe to login to cvsuser acct. via ssh with key-based auth., cvsuser must have joe's public key in his authorized_keys[2] file. One way of doing that is to add *a* public key to cvsuser's authorized_keys, and to let joe download corresp. *private* key (& use that to login). Another way is to get joe's public key and add it to cvsuser's authorized_keys. We do the latter because we want to be able to cut people off (by removing their key from authorized_keys). This way requires a bit more administration, and is not truly anonymous. The former method is anonymous (everyone uses the same key), and is a bit less hassle: you don't have to collect users' keys & add them to authorized_keys (that can be a PITA if you have hundreds of users). Dima -- The wombat is a mixture of chalk and clay used for respiration. -- MegaHal