On Tue, Aug 13, 2013 at 07:02:52PM -0600, Andy Bradford wrote: > Thus said Chad Perrin on Tue, 13 Aug 2013 18:39:21 -0600: > > > Everything was working great until I tried to use the following in the > > authorized_keys file for the user account hosting the Fossil repos: > > > > command="/usr/local/bin/fossil",no-X11-forwarding,no-agent-forwarding > > ssh-rsa <key> <user>@<client-host> > > This won't really work at all with the current release of fossil > (version 1.26) because fossil's client side expects to be able to talk > to a shell, not to a fossil program. > > > . . . because, of course, "ssh -L" is then prevented from working. > > That shouldn't have prevented port forwarding. no-port-forwarding is > what prevents that and I don't see that listed. More than likely what > happened is that the SSH connection brought up fossil, but it gave you > a usage statement. > > > > Is there a fairly simple way to prevent people from doing anything > > unrelated to what a dev team member should be able to do that still > > allows me to use this approach to granting encrypted Fossil access? > > Well, if you are doing the port forwarding approach, yes, there is. Make > the command something like sleep: > > command="/bin/sleep 28800" ssh-rsa ...
Ahh, of course. I'm kind of an idiot today. What I need is a harmless command that prevents the user from doing anything else on the system in the shell, not the fossil command. Thanks. I'll see if I can come up with something that'll work "indefinitely", and in the meantime use sleep. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
