Hi,<br><br><div><span class="gmail_quote">2008/1/30, John Arbash Meinel <<a href="mailto:john@arbash-meinel.com">john@arbash-meinel.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
alex mitchell wrote:<br>> Is there any way to do this? I've tried restricting login by setting the<br>> users' shell to /bin/false, which stops the users from logging in, but this<br>> also blocks bzr from connecting using sftp. Can I block users from logging<br>
> in, but still allow bzr to have access to read/write to the files within the<br>> repository?<br><br>You can use the "contrib/bzr_access" script which is intended to control<br>access based on SSH key.<br>
<br>It doesn't do as much access control as people would like, but it does<br>provide exactly what you are asking here.<br><br>It would only allow people to run "bzr_access", and thus only "bzr+ssh"<br>
connections. It is also designed to chroot the bzr process, so they<br>cannot access all files on the remote system.<br><br>You set it up by adding a line to .ssh/authorized_key like:<br><br> command="/path/to/bzr_access /path/to/bzr /path/to/repo username"<br>
SSHKEYINFO<br><br>John<br>=:-><br></blockquote></div><br>I never noticed the bzr_access script in contrib. Cool. I might switch to that.<br><br>I once created the attached script and set it as shell for my bzr user.<br>
It
does not use the command option of ssh keys, it just checks if "bzr
serve" is somewhere in the command argument given by ssh and starts bzr
serve hard coded (not through the command environment variable).<br>
<br>It lacks the read/write distinction that bzr_access has, and only serves a hard coded repository.<br><br>Cheers,<br><span class="sg"> -Olaf</span><br>