bzr_access installation and usage

Eugene Wee crystalrecursion at gmail.com
Sat Oct 17 20:00:54 BST 2009 

Hi,

On Sat, Oct 17, 2009 at 6:34 PM, Algis Kabaila <akabaila at pcug.org.au> wrote:
> Do you want to forbid "read" access or only inhibit "write" access?  There is
> a big difference between the two possibilities.

I want to inhibit read (and obviously write) access to everyone except
those who are allowed to access the repository. Such users will have
both read and write access to that repository, but not to any other
repository on the server unless otherwise permitted. None of these
users will be able to access any command/program other than bzr.

On Sat, Oct 17, 2009 at 6:49 PM, John Szakmeister <john at szakmeister.net> wrote:
> Setting it up in this way, will force bzr_access to be run (they won't
> get a normal shell prompt).  I believe you can do what you want with
> bzr_access.  Take a look at the content of the script, there is a
> bunch of documentation right at the beginning explaining the format
> for bzr_access.conf.

Thanks for the explanation. I now realise that I was hopelessly
confused by the script's documentation because I did not know that
each key specified in .ssh/authorized_keys could have an associated
command option, and the user logging in with that corresponding
private key could only run the specified command. Now, it is painfully
obvious that each username specified in the bzr_access.conf file
corresponds to a <username> specified in .ssh/authorized_keys, and
that I do not have to run bzr_access myself: it would happen when the
user uses bzr some_command bzr+ssh://scriptuser@path/to/repo/etc.

If I understand this correctly, a drawback here is that with multiple
repositories, I will need either multiple key pairs or multiple user
accounts. So in my example, if I wanted to give myself read/write
access to both repo1 and repo2 (without "cheating" by logging in with
a password or an unrestricted key instead), I would need separate key
pairs for each repo, since I only have one account named bzraccess.
This sounds problematic though, as how would I conveniently select
between the different keys when either would allow for a successful
login?

Thanks,
Eugene Wee

More information about the bazaar mailing list