Am 26.07.2010 13:27, schrieb Nico Kadel-Garcia:
The svnuser has its password locked and unusable, and it's shell set
to /sbin/nologin. The SSH clients have their public SSH keys set,
ideally public keys used for this alone though that's hard to enforce,
and the keys are used for the svnuser's "authorized_keys" file to run
the svnserve command with the "--user" option. This is the typical
syntax, from the Subversion book, with "TYPE1 KEY1" being copied from
the SSH key for "harry".
command="svnserve -t
--tunnel-user=harry",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
TYPE1 KEY1 ha...@example.com
Ok. thanks for pointing me to the manual. so let me summarize:
1. One ssh-account is needed.
2. via public keys i can identify different users. one keypair is needed
for each user and the public key has to be in the authorized_key file of
the ssh-account
3. i can disable all different task models via authorized_key file but
let the ssh user as it is (for svn unrelated jobs)
4. fine-granulared access-restriction is possible via authz-db
So, this is still a bunch of work, but seems doable
thanks so far
ciao
Ulf
