On Mon, May 15, 2000 at 09:57:47AM -0400, Noel L Yap wrote:
> The problem with ssh is that it requires a login shell into the server (please
> correct me if I'm wrong 'cos I've been looking for a way around this).
The user needs an *account* on the server; they don't need to be
able to log into it. I haven't tried this, but you should be
able to do something like:
- Create a login "fbaggins" on the server
- "*" out the password field (in /etc/shadow or wherever) so
that the account cannot be logged into
- In sshd_config, set:
RhostsAuthentication no
RhostsRSAAuthentication no
These prevent any stray .rhosts that may creep onto the
server from providing a way in -- even from an
RSA-authenticated client machine.
RSAAuthentication yes
This allows use of the key-pair you're about to create.
PasswordAuthentication ?
"no" is safer, but "yes" is perhaps more convenient for those
who are supposed to have shell access to the server. This is
a policy decision for the box's sysadmin.
- Create an SSH key pair for fbaggins; give Frodo the private
key from this pair install on his client machine
- On the server, in ~fbaggins/.ssh/authorized_keys, put the
public key from the above key pair, with the option:
command="cvs server"
This ensures(?) that the only thing anyone can do
with the fbaggins account is CVS commands.
Actually, you might not need to create a login for every user.
Just a single one, set up as above, should do. Give each user
their own key-pair, and put all their public keys in the cvs
account's authorized_keys -- all with `command="cvs server"'
options of course.
Potential problems:
- That "ensures(?)". I gather that it's undependable to use an
account's .profile for security restrictions, even with the
permissions locked down tight; I'd want to look at SSH a bit
carefully to convince myself that the "command=" option
doesn't suffer similar weaknesses.
- Frodo, having lost a finger to his famous adventure with a
magic ring, will want nothing whatsoever to do with your
$@*!# magic key :-)
--
| | /\
|-_|/ > Eric Siegerman, Toronto, Ont. [EMAIL PROTECTED]
| | /
to me, Charlie Brown represented the courage to be sincere in the face of
ridicule. he was NOT a loser.
thank you, Mr. Schulz.
- Robert C. Mayo
