Subversion-only SSH users
Sometimes you’re stuck with svn+ssh://… access for your repository. You need to give someone SSH access to access the repository, but you don’t want to give them full shell access. What you can do is create a group, whose users will only have access to svnserve.
Create a group called “svnonly”. /etc/groups will look something like:
... svnonly:x:414 ...
Then you can add users into that group. /etc/passwd will look something like:
... john:x:1001:414::/home/svnonly/john:/bin/bash mike:x:1002:414::/home/svnonly/mike:/bin/bash bob:x:1003:414::/home/svnonly/bob:/bin/bash ...
The home directory is entirely up to you – I choose /home/svnonly as a top directory for svnonly-users to keep them separate from full-access users and to keep /home neat. Yet, each can have their own home directory to have .ssh/authorized_keys, for example.
Next, add the following to your /etc/ssh/sshd_config:
Match Group svnonly
X11Forwarding no
AllowTcpForwarding no
ForceCommand svnserve -t
Now svnonly-users will have svnserve started for them automatically when they connect instead of a normal shell.
| Posted in blog | No Comments »