Rev 5739: (spiv) Add documentation for using a shared SSH account with bzr+ssh. in file:///home/pqm/archives/thelove/bzr/%2Btrunk/ Patch Queue Manager pqm at
Thu Mar 24 02:02:24 UTC 2011

At file:///home/pqm/archives/thelove/bzr/%2Btrunk/

revno: 5739 [merge]
revision-id: pqm at
parent: pqm at
parent: andrew.bennetts at
committer: Patch Queue Manager <pqm at>
branch nick: +trunk
timestamp: Thu 2011-03-24 02:02:21 +0000
  (spiv) Add documentation for using a shared SSH account with bzr+ssh.
  	(Russel Smith)
  doc/en/admin-guide/simple-setups.txt simplesetups.txt-20091205144603-lgpl0e0z6lzk2rdw-11
=== modified file 'doc/en/admin-guide/simple-setups.txt'
--- a/doc/en/admin-guide/simple-setups.txt	2010-09-06 20:47:57 +0000
+++ b/doc/en/admin-guide/simple-setups.txt	2011-03-24 00:13:10 +0000
@@ -91,3 +91,52 @@
 .. [#] The version of Bazaar installed on the server must be at least 2.1.0b1 
        or newer to support ``/~/`` in bzr+ssh URLs.
+Using a restricted SSH account to host multiple users and repositories
+Once you have a bzr+ssh setup using a shared repository you may want to share
+that repository among a small set of developers.  Using shared SSH access enables
+you to complete this task without any complicated setup or ongoing management.
+To allow multiple users to access Bazaar over ssh we can allow ssh access to a common
+account that only allows users to run a specific command.  Using a single account
+simplifies deployment as no permissions management issues exist for the filesystem.
+All users are the same user at the server level.  Bazaar labels the commits with
+each users details so seperate server accounts are not required.
+To enable this configuration we update the ``~/.ssh/authorized_keys`` to include 
+command restrictions for connecting users.
+In these examples the user will be called ``bzruser``.
+The following example shows how a single line is configured::
+  command="bzr --serve --inet --allow-writes --directory=/srv/bzr",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= my bzr key
+This command allows the user to access only bzr and disables other SSH use.  Write
+access to each repository in the directory ``/srv/bzr`` has been granted with ``--allow-writes``
+and can be removed for individual users that should only require read access.  The root of
+the directory structure can be altered for each user to allow them to see only a subet
+of the repositories available.  The example below assumes two seperate repositories
+for Alice and Bob.  This method will not allow you to restrict access to part
+of a repository, you may only restrict access to a single part of the directory structure::
+  command="bzr --serve --inet --allow-writes --directory=/srv/bzr/alice/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Alice's SSH Key
+  command="bzr --serve --inet --allow-writes --directory=/srv/bzr/bob/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Bob's SSH Key
+  command="bzr --serve --inet --allow-writes --directory=/srv/bzr/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Repo Manager SSH Key
+Alice and Bob have access to their own repository and Repo Manager
+has access to the each of their repositories.  Users are not allowed access to any part of 
+the system except the directory specified. The bzr+ssh urls are simplified by 
+serving using ``bzr serve`` and the ``--directory`` option.
+If Alice logs in she uses the following command for her fix-1023 branch::
+  $ bzr log bzr+ssh://
+If Repo Manager logs in he uses the following command to access Alice's
+  $ bzr log bzr+ssh://

More information about the bazaar-commits mailing list