Re: ssh + svn - pam
On Fri, Jul 8, 2011 at 7:38 AM, Cole Tuininga wrote: > On 7/7/11 5:04 PM, Kenny Lussier wrote: >> What I need to do is make it so that certain users can check in and >> out, but the server that the repositories resides on needs to be >> locked down, and these users can't have accounts on it. I was >> contemplating having local accounts with a shell of /dev/null, but I >> wanted to ask the group what peoples thoughts on the best practices >> are for this sort of scenario. > > This kinda goes against what you've specified (doing it over ssh), but > is webdav an option for you? Going that route, I believe it can be set > up without requiring user accounts... I really don't know if webdav is an option. The whole story is that the SVN repo is going to be the back end for a puppet setup. People will check files into the svn repo, then puppet will check them out and push them. We need people to be able to check files in, but we don't want to give them to have local accounts. It's like a roach motel for configurations. There are several ways to give them local accounts and disallow logins, I know, but I would rather have the box be an island, and of course, encrypt the transport. Thanks, Kenny ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: ssh + svn - pam
On 7/7/11 5:04 PM, Kenny Lussier wrote: > What I need to do is make it so that certain users can check in and > out, but the server that the repositories resides on needs to be > locked down, and these users can't have accounts on it. I was > contemplating having local accounts with a shell of /dev/null, but I > wanted to ask the group what peoples thoughts on the best practices > are for this sort of scenario. This kinda goes against what you've specified (doing it over ssh), but is webdav an option for you? Going that route, I believe it can be set up without requiring user accounts... -- Cole Tuininga Lead Developer co...@code-energy.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: ssh + svn - pam
On Thu, Jul 7, 2011 at 5:04 PM, Kenny Lussier wrote: > Many many (many) moons ago, I had set up an svn server at a company. I > remember setting it up so that it was svn+ssh, but it didn't require > local accounts in /etc/passwd, it just used accounts out of the > repositories passwd-db. I can't seem to remember how I did this, and I > can't seem to find a way to do it now. This leads me to believe that > my memory is failing. Quoting from: http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks.fixedcmd It's also possible to have multiple users share a single account. Instead of creating a separate system account for each user, generate a public/private key pair for each person. Then place each public key into the authorized_keys file, one per line, and use the --tunnel-user option: command="svnserve -t --tunnel-user=harry" TYPE1 KEY1 ha...@example.com command="svnserve -t --tunnel-user=sally" TYPE2 KEY2 sa...@example.com This example allows both Harry and Sally to connect to the same account via public key authentication. Each of them has a custom command that will be executed; the --tunnel-user option tells svnserve to assume that the named argument is the authenticated user. Without --tunnel-user, it would appear as though all commits were coming from the one shared system account. Gitolite uses a similar technique with git: http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html -- Brian St. Pierre ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Fwd: ssh + svn - pam
-- Forwarded message -- From: Jefferson Kirkland Date: Thu, Jul 7, 2011 at 5:24 PM Subject: Re: ssh + svn - pam To: Kenny Lussier I am not sure how you would set that up without either having a user account on the box or in the LDAP type system used for the network. Every tutorial I have ever read says that an account has to be created for the user. If you find one or learn how to do it, please share, but I am not really sure how you are going to get around it. Regards, Jeff On Thu, Jul 7, 2011 at 5:04 PM, Kenny Lussier wrote: > Hi all, > > Many many (many) moons ago, I had set up an svn server at a company. I > remember setting it up so that it was svn+ssh, but it didn't require > local accounts in /etc/passwd, it just used accounts out of the > repositories passwd-db. I can't seem to remember how I did this, and I > can't seem to find a way to do it now. This leads me to believe that > my memory is failing. > > What I need to do is make it so that certain users can check in and > out, but the server that the repositories resides on needs to be > locked down, and these users can't have accounts on it. I was > contemplating having local accounts with a shell of /dev/null, but I > wanted to ask the group what peoples thoughts on the best practices > are for this sort of scenario. > > TIA, > Kenny > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
ssh + svn - pam
Hi all, Many many (many) moons ago, I had set up an svn server at a company. I remember setting it up so that it was svn+ssh, but it didn't require local accounts in /etc/passwd, it just used accounts out of the repositories passwd-db. I can't seem to remember how I did this, and I can't seem to find a way to do it now. This leads me to believe that my memory is failing. What I need to do is make it so that certain users can check in and out, but the server that the repositories resides on needs to be locked down, and these users can't have accounts on it. I was contemplating having local accounts with a shell of /dev/null, but I wanted to ask the group what peoples thoughts on the best practices are for this sort of scenario. TIA, Kenny ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/