Setup SVN repositories only for specified users over ssh. OpenSSH limit only one command execution.

Posted by valqk on Thursday, November 26. 2009

Just to blog this. I'll need it in future.
If you have svn repositories server and you are using svn+ssh for the checkout and all svn actions you will want users to have access to only predefined repos only and not to any shell or anything.
I've done this by doing symlinks in their homes and using ssh file that looks like this
authorized_keys:



command="svnserve -t --tunnel-user=user -r /home/user",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3Nz1...KEY HERE....

this way, you can lock them to use only svnserve and it will lock them to co only what's in their home dirs.

If you're not familiar with details - eg. how to generate keys, what is authorized_keys etc, I stole this from here: http://ingomueller.net/node/331 - read more there.

Of course you have to keep your snserve up to date and pray there are no vulns in it, otherwise users can hack you

But hey, you know the owners of the keys, don't you?

Got my pont?

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Name

Homepage

In reply to

Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enter the string from the spam-prevention image above:

Remember Information?