gpg: failed to create temporary file '/var/lib/lurker/.#lk0x58379100.hantslug.org.uk.20700': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Thu May 31 19:32:18 2007 BST
gpg: using DSA key B2C27BC21C335860
gpg: Can't check signature: No public key
On Thu, May 31, 2007 at 04:50:18PM +0100, Dr Adam J Trickett wrote:
> At work we have some projects on a CVS sever and new projects on a
> Subversion server on the same box. Historically we used a forced
> command 'cvs server' to force all SSH into CVS. Now we have a
> slight problem that we want to only allow CVS and Subversion,
> with no shell access.
>
> Apparently OpenSSH only supports one command forcing option, it's
> cvs or svn but not both.
>
> It looks like I could set the command to be a shell script and
> then look in the $SSH2_ORIGINAL_COMMAND variable to see what they
> tried to do, and if it's svn or cvs allow it to run. I'd have to
> write very clean code to make it secure, but I can't think of
> anything else.
>
> I've looked at the restricted shell option for OpenSSH, which looks
> good, except it doesn't do svn yet!
>
> I could try setting their login shell to /bin/false, but they could
> easily issue a ssh cvsserver bash if they wanted to.
Set up the openssh restricted shell, which will do what you want
with CVS. Then set up svn using DAV+SVN on Apache2 on the svn server.
Those people with working copies already checked out can convert them
using "svn switch --relocate".
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 1C335860 from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Two things came out of Berkeley in the 1960s: LSD and Unix. ---
This is not a coincidence.
