[svnbook commit] r2976 - trunk/src/en/book
kfogel
noreply at red-bean.com
Sat Feb 2 15:19:49 CST 2008
Author: kfogel
Date: Sat Feb 2 15:19:48 2008
New Revision: 2976
Log:
* src/en/book/ch06-server-configuration.xml
(Controlling the invoked command): Fix example to not use line
continuation, since SSH authorized_keys files don't support that.
Found by: Micah Anderson <micah{_AT_}riseup.net>
(See his mail below for details.)
From: Micah Anderson <micah{_AT_}riseup.net>
Subject: (forw) Error in SSH configuration tricks example
To: kfogel{_AT_}questioncopyright.org
Date: Sat, 2 Feb 2008 15:15:23 -0500
Hey karl,
I just found that my machine didn't actually send out this email because
my network connection was down. So instead of sending it to the
svnbook-dev address, I am just sending it to you, but if you feel like I
should also send it there, I'm happy to as well.
I looked in the nightly build, its not fixed there.
micah
From: Micah Anderson <micah{_AT_}riseup.net>
Subject: Error in example
To: svnbook-dev{_AT_}red-bean.com
Date: Sat, 2 Feb 2008 13:15:48 -0500
Hi,
I just found an error in the svn book, in this section:
http://svnbook.red-bean.com/en/1.4/svn-book.html#svn.serverconfig.svnserve.sshtricks
The example which details setting up an authorized_keys file with this
to restrict the user to the specific named command, is wrong. This is
the example presented in the book:
command="svnserve -t --tunnel-user=harry",no-port-forwarding,\
no-agent-forwarding,no-X11-forwarding,no-pty \
TYPE1 KEY1 harry at example.com
The line-continuation actually cannot be used in this file, if you do
use it, the command restriction isn't parsed *at all*. If you setup
something like the above and test it, you will find you can check out a
repostiroy fine, but you will also have ssh shell access to the server,
which you should *not* have if the command part of the key were working.
In order for this to work properly, all of this stuff has to be on one
line, with no continuation characters, as follows:
command="svnserve -t --tunnel-user=harry",no-port-forwarding, no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 harry at example.com
This is using openssh on debian stable, version 1:4.3p2-9.
Micah
Modified:
trunk/src/en/book/ch06-server-configuration.xml
Modified: trunk/src/en/book/ch06-server-configuration.xml
==============================================================================
--- trunk/src/en/book/ch06-server-configuration.xml (original)
+++ trunk/src/en/book/ch06-server-configuration.xml Sat Feb 2 15:19:48 2008
@@ -1349,11 +1349,19 @@
after the <literal>command</literal>:</para>
<screen>
- command="svnserve -t --tunnel-user=harry",no-port-forwarding,\
- no-agent-forwarding,no-X11-forwarding,no-pty \
- TYPE1 KEY1 harry at example.com
+ command="svnserve -t --tunnel-user=harry",no-port-forwarding,
+ no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 harry at example.com
</screen>
+ <para>(Note that this all must be on one line—truly on
+ one line, since SSH <filename>authorized_keys</filename> files
+ do not even allow the conventional "<literal>\</literal>" for
+ line continuation. Thus, there should be no line break and no
+ space between "<literal>no-port-forwarding,</literal>" and
+ "<literal>no-agent-forwarding,</literal>" in the example
+ above; the only reason we've formatted it with a line break is
+ to fit it on the physical page of a book.)</para>
+
</sect3>
</sect2>
More information about the svnbook-dev
mailing list