need a restricted shell

David Robillard david.robillard at gmail.com
Thu Sep 7 06:37:05 PDT 2006


> I am looking for a shell that will allow Subversion to be run over
> ssh but not allow interactive login or if it allows interactive
> login, will only allow Subversion commands to be run...  Any ideas
> on how to accomplish this?

Hi Chad,

You could install the shells/scponly port and build it with it's chroot option.
(i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make
clean` just yet, because you will need the "setup_chroot.sh" script
which is inside the work/scponly-<port_version> directory.

Use the script to create a chroot directory. Then populate this new
chroot directory with the files required by the commands and libraries
which you want to give to your users (such as Subversion).

Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and
the chroot directory for the user(s) which you want to limit only to
your Subversion commands. Assign a password to those users then test
if you can connect and use the Subversion commands.

Basically, this is Hack number 63 on page 269 in the book "BSD Hacks,
100 Industrial-Strength Tips & Tools" by Dru Lavigne published by
O'Reilly. (ISBN: 0-596-00679-9).

Also, to further restrict access to your machine, configure sshd(8) to
allow only a limited subset of users. See AllowUsers and AllowGroups
in sshd_config(5) for this.

Finally, if you happen to know the origin of the connections, then
configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections.
See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info
on how to set this up.

Alright, if you have any questions, please be my guest and send them up to me.

Cheers!

David
-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122


More information about the freebsd-questions mailing list