User directory permissions on SSH server
I have an SSH server running primarily for myself but now have some code I'd like to share with my colleagues through SVN.
I am able to share it with svn+ssh by creating a separate account called 'svn', but 'svn' can also be used to log in and view my files (in /home/mine/Documents/ etc.). I tried setting the shell from bin/sh to bin/false in /etc/passwd, but this will also block users from getting my programs through svn+ssh.
Do you have any suggestions?
Thanks much! -Stephen
It's actually pretty simple to get exactly what you describe; the key is ssh's "forced command" option. Essentially you tell ssh that, no matter what command the client tries to execute it always executes the forced command. You set the forced command to point to a simple wrapper script that verifies the command is svnserve -t
. If it is, it executes as requested. Otherwise it exits. This is the script I use:
#!/bin/bash # # Verify that the requested command is an svnserve call. # # Note that sshd stores the command requested by the client in # the variable "SSH_ORIGINAL_COMMAND". if [[ $SSH_ORIGINAL_COMMAND = "svnserve -t" ]] then exec $SSH_ORIGINAL_COMMAND else echo "You are only allowed svn access to this server." fi
There are two ways to set this forced command:
- If your users are logging in using key-based authentication (and they should) you can add ``command="/usr/local/sbin/validate_svn'' as the first field in their public key in
~/.ssh/authorized_keys
. In order for this to be safe, though, you'll have to disable password auth. Otherwise they can log in with a password (bypassing the forced command) and edit~/.ssh/authorized_keys
to remove the restriction. - Add a "Match" stanza to the end of
/etc/ssh/sshd_config
for the user(s) that should only be able to use svn. It should look something like this:
Match user svn ForceCommand /usr/local/bin/validate_svn
You need to change the permissions on your home directory.
$ chmod 750 /home/mine