<HTML>
<HEAD>
<TITLE>Re: Setting up a shared repository for users with no shell login</TITLE>
</HEAD>
<BODY>
<FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>Hi,<BR>
<BR>
I managed to find the bzr_access script, and have tried it out. I’ve successfully set up the .ssh/authorized_key file, but I keep getting “bzr_access::error: Access denied” even when doing a bzr log, which should only require read access, right? And as far as I can tell, the bzr_access.conf file is set up correctly. Has anyone else tried this script? Any pointers as to how to get it to work?<BR>
<BR>
thanks,<BR>
Alex<BR>
<BR>
<BR>
On 1/31/08 12:05 AM, "Olaf Conradi" <olaf@conradi.org> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>Hi,<BR>
<BR>
2008/1/30, John Arbash Meinel <john@arbash-meinel.com>:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>alex mitchell wrote:<BR>
> Is there any way to do this? I've tried restricting login by setting the<BR>
> users' shell to /bin/false, which stops the users from logging in, but this<BR>
> also blocks bzr from connecting using sftp. Can I block users from logging<BR>
> in, but still allow bzr to have access to read/write to the files within the<BR>
> repository?<BR>
<BR>
You can use the "contrib/bzr_access" script which is intended to control<BR>
access based on SSH key.<BR>
<BR>
It doesn't do as much access control as people would like, but it does<BR>
provide exactly what you are asking here.<BR>
<BR>
It would only allow people to run "bzr_access", and thus only "bzr+ssh"<BR>
connections. It is also designed to chroot the bzr process, so they<BR>
cannot access all files on the remote system.<BR>
<BR>
You set it up by adding a line to .ssh/authorized_key like:<BR>
<BR>
command="/path/to/bzr_access /path/to/bzr /path/to/repo username"<BR>
SSHKEYINFO<BR>
<BR>
John<BR>
=:-><BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'><BR>
I never noticed the bzr_access script in contrib. Cool. I might switch to that.<BR>
<BR>
I once created the attached script and set it as shell for my bzr user.<BR>
It does not use the command option of ssh keys, it just checks if "bzr serve" is somewhere in the command argument given by ssh and starts bzr serve hard coded (not through the command environment variable).<BR>
<BR>
It lacks the read/write distinction that bzr_access has, and only serves a hard coded repository.<BR>
<BR>
Cheers,<BR>
-Olaf<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'><BR>
</SPAN></FONT>
</BODY>
</HTML>