%META:TOPICINFO{author="RizwanKassim" date="1108022987" format="1.0" version="1.2"}% %META:TOPICPARENT{name="WineCVS"}% How to setup a restricted SSH account using hostkeys so that only CVS can run... Excellent for webservers, university accounts and other places where you don't have root. AFAIK, this only works with !OpenSSH. The guide implicitly uses SSH2 * First, generate your session keys on the CVS 'server' * I use quotes here, because the server is actually an SSH server; CVS server implies pserver, which isn't what were are doing at all. * run 'ssh-keygen -t rsa' (or dsa) to generate a hostkey. Setup a password if you'd like. Keep note of where the keys are stored (or put them into another location so they don't mess up any keys you actually have.) * Edit the .pub file generated, putting 'command="cvs server "' in front of the 'ssh-dss or ssh-rsa' string. (write the appropriate path to cvs if it isn't in your path.) * Combine the pub file with your existing ~/.ssh/authorized_keys2 file. (If you don't have one already, just rename it.) * chmod the key file 600 * On any machine that you wish to permit SSH access to: * Give them the id_rsa or id_dsa file generated (feel free to rename it to descriptivename.key) * Modify the ~/.ssh/config file, adding : Host (CVS server name) User (The Username you Generated the Key under) !IdentityFile (Path to the aforementioned .key file) * Finally, have them set CVS_RSH=ssh and CVSROOT=:ext:username@server:CVSROOTPATH, where CVSROOTPATH is the path to your CVSROOT on the server. * Voila! Now you can run CVS and it will connect to the server via ssh, *only* permit them to use cvs (Yay for security!) and disconnect! Any questions, feel free to email me. Installation description is here : WineCVS -Rizwan Kassim -- Main.RizwanKassim - 16 Jan 2005