Re: ssh and cvs login, but no user login

From: Dimitri Maziuk (dima_at_127.0.0.1)
Date: 04/28/03

• Next message: Oskars Salnins: "Cygwin on WinXPPro"
• Previous message: Mick Ohrberg: "Re: OpenSSH 3.6.1p1 and AIX 4.3"
• In reply to: Stephan Seitz: "ssh and cvs login, but no user login"
• Next in thread: Stephan Seitz: "Re: ssh and cvs login, but no user login"
• Reply: Stephan Seitz: "Re: ssh and cvs login, but no user login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 28 Apr 2003 20:48:25 +0000 (UTC)

Stephan Seitz sez:
> Hi!
>
> I have the following problem:
> No user beside the admins should be able to log in into a certain
> server. But cvs is running on this server and the clients use
> CVS_RSH=/usr/bin/ssh to commit or checkout data.
> How can I configure ssh to allow the cvs connection, but don't give
> shell accounts to the user?

Set up a dedicated user for cvs access. Add public keys of all
CVS users to this user's authorized_keys file with
"command=/usr/bin/cvs server" prepended to them (you probably
want to add no-port-forwarding, no-x11-forwarding, and
no-agent-forwarding as well; see TFM). Lock down the password
for cvs user (but give him a valid shell).

Clients will use "cvs -d :ext:cvs@your.server:/repository" to
access the repository.

This way you only need one user account, and it's locked for
anything except running "cvs server" over ssh.

If you want to provide anonymous cvs, generate keys for cvs
user, add public key to authorized_keys as above, and let
people download the private key. See http://www.kitenet.net/~joey.

Dima

-- 
We're sysadmins. Sanity happens to other people.                  -- Chris King

---

• Next message: Oskars Salnins: "Cygwin on WinXPPro"
• Previous message: Mick Ohrberg: "Re: OpenSSH 3.6.1p1 and AIX 4.3"
• In reply to: Stephan Seitz: "ssh and cvs login, but no user login"
• Next in thread: Stephan Seitz: "Re: ssh and cvs login, but no user login"
• Reply: Stephan Seitz: "Re: ssh and cvs login, but no user login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages SSH Tunneling Configureation ... I have a cvs server inside my home network. ... inorder for thier tunnel logins to work over cvs through ssh. ... My question is where do these public keys go on a freebsd 6.0 box? ... (freebsd-questions) Re: SSH Tunneling Configureation ... public keys but any insight into the whole problem would be very much ... If it's simple CVS over SSH access, then the public keys go into the user's ... (freebsd-questions) CERT Advisory CA-2003-02 Double-Free Bug in CVS Server ... CVS is a version control and collaboration system that is widely used ... already freed memory leads to heap corruption, which an attacker could ... CVS server program, or read sensitive information stored in memory. ... Apply the appropriate patch or upgrade as specified by your vendor. ... (Cert) [UNIX] CVS Remote Vulnerability ... Concurrent Versions System (CVS) is the dominant open-source version ... be used by a remote attacker to execute arbitrary code on the server. ... While auditing the CVS sourcetree Stefan Esser found a flaw within the ... uses this vulnerability to execute arbitrary shell commands on BSD ... (Securiteam) Advisory 01/2003: CVS remote vulnerability ... Vendor Status: Vendor has released a bugfixed version. ... can be used by a remote attacker to execute arbitrary code on the server. ... that the CVS client/server protocol includes two ... vulnerability to execute arbitrary shell commands on BSD servers. ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2003-04