The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Ruby Buzz Forum
Allowing ssh access to Darcs repositories

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Maxim Kulkin

Posts: 58
Nickname: hapk
Registered: Sep, 2006

Maxim Kulkin is developer in Selectosa Systems.
Allowing ssh access to Darcs repositories Posted: Jul 21, 2009 3:34 PM
Reply to this message Reply

This post originated from an RSS feed registered with Ruby Buzz by Maxim Kulkin.
Original Post: Allowing ssh access to Darcs repositories
Feed Title: Software development
Feed URL: http://maximkulkin.blogspot.com/feeds/posts/full?alt=rss
Feed Description: Software development 		Latest Ruby Buzz Posts
Latest Ruby Buzz Posts by Maxim Kulkin
Latest Posts From Software development

Advertisement
I've been using Darcs since early 2006 and I do not see any reason to switch to any other (D)VCS like git.

Today at work we decided to put our new project into Darcs and I needed to setup access for others to my repository. The readonly access is not a problem, but allowing others to push into my repositories was a bit trickier. There is a protocol wrapper called "darcs-server", but I don't like that solution. I wanted to configure Darcs to do get/pull/push with minimal additional components.

The traditional way to do Push is via SSH. You can create a separate account for Darcs VCS or just share your own. Then, you set up access via public/private keys and here we go: you can do all operations. The only thing is that everybody can do anything with your account, which is bad. You need to restrict users to running just a small set of commands sufficient for normal Darcs operation. With Darcs 2 it turns out that you only need to allow running "darcs" with various arguments (as Darcs 2 uses special tunelling to do all work while Darcs 1 used to open tons of connections). After several experiments, here is what you need:


#!/bin/sh

first_word() { echo $1; }

line="$SSH_ORIGINAL_COMMAND"

command=$(first_word $line)
if [ "$command" = "darcs" ]; then
  sh -c "$line"
else
  echo "$command is not allowed"
fi


Then, you add "command='/home/username/bin/darcs-wrapper' " at the beginning of your collegues' public key lines in ~/.ssh/authorized_keys and boom - they are restricted to running only darcs. You can also add no-port-forwarding, no-X11-forwarding, no-agent-forwarding, no-pty to tighten security. And you can set environment variable DARCS_LOGNAME to name of particular user to get proper names in darcs changes logs: add "environment='DARCS_LOGNAME=username'" to your authorized_keys file.

Hope that helps.

Read: Allowing ssh access to Darcs repositories

Topic: Efficient low-level VMs implemented in high-level languages Previous Topic   Next Topic Topic: The Amethyst Flex Designer - customization
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use