1

We have a service that manages files both over a webinterface but also requires access to files via rsync. One way to handle this is to give each user a UNIX account on the system and allow only access if the program run over ssh is the receiving end of rsync as these users should not be able to use the server as a remote computing device.

Managing keys via a webinterface was easy enough by using the AuthorizedKeyProgram directive in the sshd config but I wonder how one would set up a system where there is only ONE login, like github has a single "github" user for their ssh git connection and then change the underlying directory the connection has access to based on what ssh key was used to open the connection.

How can I combine the AuthorizedKeyProgram of sshd with other programs like an ssh command and other restricting systems to make a one login multiple users ssh login as github seems to use for their repositories and the "git" program?

Right now the AuthorizedKeyProgram reads out the ssh keys from a database and then appends a "only-rsync.sh" script as a forced command:

print("command=\"only_rsync\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty" + key)

The "only-rsync.sh" script simply does the following:

#!/bin/bash if [ -n "$SSH_ORIGINAL_COMMAND" ]; then if [[ "$SSH_ORIGINAL_COMMAND" =~ ^rsync\ ]]; then exec $SSH_ORIGINAL_COMMAND --chmod=a+rwX fi fi
Improve this question
4
  • Ok, what is the question? What's a problem, what is insufficient? I suppose you imply "how to make it like github", but that is very vague, and the answer to how I would understand that question is basically given in the chapter "setting up the server" in the git-scm book. (The similar technique is given for Subversion in it's manual, too.) In general, you have to describe what exactly you want, not just leave the reference to an example. The reference is nice to have, but certainly it isn't enough, largely because it's unclear what feature you are referring to. Describe the feature itself. Commented Feb 17 at 13:39
  • Ok my question was wrapped into the "I wonder ..." sentence, but I phrased it out as an actual question above the examples. Commented Feb 17 at 14:22
  • Reading through that chapter of the git-scm tutorial it seems the real question is "Is there a rsync-shell program restricting access to everything but rsync like git-shell does for git." - but it also needs something akin to a chroot to make the part of the file system that is visible to the users limited to their and only their repositories. Commented Feb 17 at 14:31
  • Then it's long time answered on ServerFault: serverfault.com/questions/965053/… Commented Feb 18 at 4:37

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.