Setting up a shared repository for users with no shell login

alex mitchell cnmmai at nus.edu.sg
Thu Jan 31 16:47:33 GMT 2008 

Hi,

I managed to find the bzr_access script, and have tried it out. I¹ve
successfully set up the .ssh/authorized_key file, but I keep getting
³bzr_access::error: Access denied² even when doing a bzr log, which should
only require read access, right?  And as far as I can tell, the
bzr_access.conf file is set up correctly. Has anyone else tried this script?
Any pointers as to how to get it to work?

thanks,
Alex


On 1/31/08 12:05 AM, "Olaf Conradi" <olaf at conradi.org> wrote:

> Hi,
> 
> 2008/1/30, John Arbash Meinel <john at arbash-meinel.com>:
>> alex mitchell wrote:
>>> > Is there any way to do this? I've tried restricting login by setting the
>>> > users' shell to /bin/false, which stops the users from logging in, but
>>> this
>>> > also blocks bzr from connecting using sftp. Can I block users from logging
>>> > in, but still allow bzr to have access to read/write to the files within
>>> the
>>> > repository?
>> 
>> You can use the "contrib/bzr_access" script which is intended to control
>> access based on SSH key.
>> 
>> It doesn't do as much access control as people would like, but it does
>> provide exactly what you are asking here.
>> 
>> It would only allow people to run "bzr_access", and thus only "bzr+ssh"
>> connections. It is also designed to chroot the bzr process, so they
>> cannot access all files on the remote system.
>> 
>> You set it up by adding a line to .ssh/authorized_key like:
>> 
>>   command="/path/to/bzr_access /path/to/bzr /path/to/repo username"
>> SSHKEYINFO
>> 
>> John
>> =:->
> 
> I never noticed the bzr_access script in contrib. Cool. I might switch to
> that.
> 
> I once created the attached script and set it as shell for my bzr user.
> It does not use the command option of ssh keys, it just checks if "bzr serve"
> is somewhere in the command argument given by ssh and starts bzr serve hard
> coded (not through the command environment variable).
> 
> It lacks the read/write distinction that bzr_access has, and only serves a
> hard coded repository.
> 
> Cheers,
>  -Olaf
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/bazaar/attachments/20080201/a0936c84/attachment-0001.htm

More information about the bazaar mailing list