Bazaar SSH access control
John Arbash Meinel
john at arbash-meinel.com
Mon Nov 5 13:19:14 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/5/2012 4:36 PM, Michael Schubert wrote:
> On 10/31/2012 03:43 PM, John Arbash Meinel wrote:
>> So chroot and ~/homedir support are both implemented using
>> PathFilteringTransport, so I think something like this would work
>> for you.
>>
>> However, I would mention that it might be easier to hook it at a
>> different point than 'ssh-serve'.
>>
>> a) you might at least want to call it acl-serve, since it isn't
>> actually serving ssh. The process is connecting via ssh to your
>> machine, which is spawning 'bzr serve ...' (or whatever you
>> configure in your authorized_keys file.)
>
> The name for sure is arguable.
>
>> b) 'bzr serve' already has support for --protocol, which might be
>> an easier place to hook into. I won't guarantee that, but it
>> might be something to look at.
>
> When you say 'bzr serve', you mean calling cmd_serve.run() from
> the plugin? From my understanding, there's only one protocol (bzr,
> the default) which can be choosen for --protocol atm.
>
>
loggerhead already hooks in to do "bzr serve --http", and bzr-git IIRC
hooks in to provide "bzr serve --git". So you could provide "bzr serve
- --acl" or something similar.
Then the line in authorized_keys would have "bzr serve --acl" rather
than "bzr acl-serve". I don't know if one is easier than the other,
just something to consider.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCXvNIACgkQJdeBCYSNAAOIlwCeOXmccGvGOOgM7Ztfh+9HCK1F
3rwAoNWIOCVe9qIT102qUeNwNzAewQTo
=X6Vz
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list