need a restricted shell

Daniel Bye freebsd-questions at
Thu Sep 7 08:55:28 PDT 2006

On Wed, Sep 06, 2006 at 02:55:25PM -0600, Chad Leigh -- Shire.Net LLC wrote:
> I am looking for a shell that will allow Subversion to be run over  
> ssh but not allow interactive login or if it allows interactive  
> login, will only allow Subversion commands to be run...  Any ideas on  
> how to accomplish this?
> I have been looking at various shell lists in ports but nothing  
> popped out as obvious to me

I have done this in the following way:

Create a dedicated user, for example, svn.  This user will own the
repository. If you intend to allow "normal" users to access the
repository from accounts on the server box, you'll need an svn group,
as well.  From your question, though, I get the impression this isn't
what you intend, so I'll ignore that possibility.

For each user, copy their public key to the svn user's
.ssh/authorized_keys file, prepending each one with:

command="/usr/local/bin/svnserve -t --tunnel-user=username -r /path/to/your/repository/root",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty

Obviously, you'll need to put the appropriate user's name in place of
username, above. It is used by the server to record who does what, so
that there is no real need for each of your developers to have an account
on the server.  By specifying the command to be run with each key, you
tell sshd not to allow any other type of activity, so there is no real
need for a restricted shell. However, other suggestions about limiting
which IP's can connect and which users (in this case, make sure svn is
included in the list of username!), are valid.

Each client will need to set up a new scheme for connecting to the svn
account at the server box. Something like this in each developer's
~/.subversion/config should do the trick:

mysvn = $MYSVN_SSH ssh -l svn

If set, $MYSVN_SSH will be evaluated instead of running the ssh command.
See the documentation for how this might be useful (I can't remember...)

Now, in order to connect, your clients will need to specify the path to
the repository like this:


If you have any clients who use TortoiseSVN, they will need to specify
the scheme differently:


(Unless, of course, you can find some way for them to also use custom

It takes a little work to set up, but when it is running, it works well.


Daniel Bye

PGP Key:
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list