[svnbook commit] r2976 - trunk/src/en/book

kfogel noreply at red-bean.com
Sat Feb 2 15:19:49 CST 2008


Author: kfogel
Date: Sat Feb  2 15:19:48 2008
New Revision: 2976

Log:
* src/en/book/ch06-server-configuration.xml
  (Controlling the invoked command): Fix example to not use line
  continuation, since SSH authorized_keys files don't support that.

Found by: Micah Anderson <micah{_AT_}riseup.net>
(See his mail below for details.)

  From: Micah Anderson <micah{_AT_}riseup.net>
  Subject: (forw) Error in SSH configuration tricks example
  To: kfogel{_AT_}questioncopyright.org
  Date: Sat, 2 Feb 2008 15:15:23 -0500
  
  Hey karl,
  
  I just found that my machine didn't actually send out this email because
  my network connection was down. So instead of sending it to the
  svnbook-dev address, I am just sending it to you, but if you feel like I
  should also send it there, I'm happy to as well.
  
  I looked in the nightly build, its not fixed there.
  
  micah
  
  From: Micah Anderson <micah{_AT_}riseup.net>
  Subject: Error in example
  To: svnbook-dev{_AT_}red-bean.com
  Date: Sat, 2 Feb 2008 13:15:48 -0500
  
  Hi,
  
  I just found an error in the svn book, in this section:
  
  http://svnbook.red-bean.com/en/1.4/svn-book.html#svn.serverconfig.svnserve.sshtricks
  
  The example which details setting up an authorized_keys file with this
  to restrict the user to the specific named command, is wrong. This is
  the example presented in the book:
  
    command="svnserve -t --tunnel-user=harry",no-port-forwarding,\
             no-agent-forwarding,no-X11-forwarding,no-pty \
             TYPE1 KEY1 harry at example.com
  
  The line-continuation actually cannot be used in this file, if you do
  use it, the command restriction isn't parsed *at all*. If you setup
  something like the above and test it, you will find you can check out a
  repostiroy fine, but you will also have ssh shell access to the server,
  which you should *not* have if the command part of the key were working.
  In order for this to work properly, all of this stuff has to be on one
  line, with no continuation characters, as follows:
  
    command="svnserve -t --tunnel-user=harry",no-port-forwarding, no-agent-forwarding,no-X11-forwarding,no-pty  TYPE1 KEY1 harry at example.com
  
  This is using openssh on debian stable, version 1:4.3p2-9.
  
  Micah


Modified:
   trunk/src/en/book/ch06-server-configuration.xml

Modified: trunk/src/en/book/ch06-server-configuration.xml
==============================================================================
--- trunk/src/en/book/ch06-server-configuration.xml	(original)
+++ trunk/src/en/book/ch06-server-configuration.xml	Sat Feb  2 15:19:48 2008
@@ -1349,11 +1349,19 @@
           after the <literal>command</literal>:</para>
 
         <screen>
-  command="svnserve -t --tunnel-user=harry",no-port-forwarding,\
-           no-agent-forwarding,no-X11-forwarding,no-pty \
-           TYPE1 KEY1 harry at example.com
+  command="svnserve -t --tunnel-user=harry",no-port-forwarding,
+  no-agent-forwarding,no-X11-forwarding,no-pty TYPE1 KEY1 harry at example.com
 </screen>
 
+        <para>(Note that this all must be on one line—truly on
+        one line, since SSH <filename>authorized_keys</filename> files
+        do not even allow the conventional "<literal>\</literal>" for
+        line continuation.  Thus, there should be no line break and no
+        space between "<literal>no-port-forwarding,</literal>" and
+        "<literal>no-agent-forwarding,</literal>" in the example
+        above; the only reason we've formatted it with a line break is
+        to fit it on the physical page of a book.)</para>
+
       </sect3>
 
     </sect2>




More information about the svnbook-dev mailing list