Package: git Version: 1:2.14.1-2 Severity: wishlist File: /usr/bin/git-shell
Dear Maintainer, I am writing this to the Debian Bug Tracker because I didn't find any issue tracker upstream that is actually monitored for non-bugs, and because I believe that a message written to the mailing list containing suggestions without patches are likely to be ignore if the suggestions come from a nobody like me. Please feel free to forward whereever you feel it appropriate. As a professional sysadmin, I frequently use ssh, passphraseless keys and ssh-forced-commands to invoke jobs remotely and securely. I usually use a script as forced command that parses SSH_ORIGINAL_COMMAND and executes the allowed commands. I have blogged about that in German in http://blog.zugschlus.de/archives/982-Login-als-technischer-User-mit-ssh-forced-commands.html, but the shell script should be international. I have recently talked to a colleague who uses git-shell for those tasks, even those that are not git-related. Actually, I find that idea quite neat. However, I do have some suggestions to make things even more easy. Basically, my intended use of git-shell is to have git-shell replace the if-elif-cascade in the ssh-forced-command script, having the subcommands made available by the script in the git-shell-command directory instead. (1) When using git-shell, the remote users gets git access to all git repositories that are readable by the user. This might not be wanted. Please consider a configuration file or a list of paths on the git-shell command line, so that the local admin can restrict the git repositories a git-shell user can access, including up to /nonexistent for "no access to git repositories at all". (2) Please consider adding an option --ssh-original-command which makes git-shell consider the contents of $SSH_ORIGINAL_COMMAND as its command line. This would allow using git-shell as "command" in an authorized_keys line, while enabling the user to still give commands on the ssh command line as if the account were open. Validation and parsing of the parameters can be done by git-shell and the program called from git-shell-commands. Thanks for your consideration. Greetings Marc
