Subject: Re: anoncvs server...
To: None <tech-misc@netbsd.org>
From: George Georgalis <george@galis.org>
List: tech-misc
Date: 02/01/2006 14:35:34
On Wed, Feb 01, 2006 at 01:17:01PM -0500, Thor Lancelot Simon wrote:
>On Tue, Jan 31, 2006 at 11:00:00PM +0100, Manuel Bouyer wrote:
>> On Sun, Jan 29, 2006 at 02:17:08PM -0500, George Georgalis wrote:
>> > [...]
>> > 2. Currently investigating how to prevent anoncvs user,
>> > while allowing other users, from doing agent, x11, and port
>> > forwarding with the passwordless connection.
>>
>> I just use 2 ssh servers: one listening on port 22 only for anoncvs
>> connections (other users are denied in config) and another ssh server on
>> another port.
>
>It is best to run the anoncvs ssh server inside a chroot. Then you can
>dispense with most of the complexity in the openbsd anoncvssh implemenation.
Manuel's post got me thinking in that direction. chroot sounds
like the way to go.
>You can also use systrace to run the anoncvs sshd as a non-root user inside
>the chroot.
I've never heard of systrace, man page looks interesting. Will
google around and consider that option.
ATM, I'm working on a solution to get the system properly booted,
SATA/PATA drive numbering issue on another thread, how/when ever
that pans out, I'll be in a better position to look at sharing
again.
// George
--
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org