On Sat, Apr 18, 2009 at 01:00:35AM +0400, Dmitry Potapov wrote: > On Fri, Apr 17, 2009 at 09:49:19PM +0200, Mike Hommey wrote: > > On Fri, Apr 17, 2009 at 08:24:35PM +0400, Dmitry Potapov wrote: > > > On Thu, Apr 16, 2009 at 11:10:56PM +0200, Mike Hommey wrote: > > > > When using a forced-command, OpenSSH sets the SSH_ORIGINAL_COMMAND > > > > variable to what would otherwise be passed to $SHELL -c. When this > > > > variable is set, we use it instead of the contents of argv. > > >_ > > > It would be nice to provide some justification where it can be used. > > > IOW, why do you want to have the force command where essentially > > > you execute the original command as it were no force-command? > >_ > > You're not executing any command, but only what git-shell allows. > > This allows git-shell to be set as a forced-command for a specific > > ssh key, for example. > > Would it better to set git-shell as the login shell for this account? > IMHO, that provides better security than using a forced-command, and > that is how git-shell is intended to use. So, I am not sure what are > benefits of using a forced-command when it just executes the original > command using git-shell. You may want to provide other kind of accesses for the same account. Also, an unpriviledged user would be able to, without root access, setup write access to his private git repositories via forced-commands for given ssh keys. > Besides, you made SSH_ORIGINAL_COMMAND to take precedent over explicitly > specified parameters given to git-shell. Maybe it should be the other > way around? If SSH_ORIGINAL_COMMAND is set, which means forced-commands are in use, I don't see why other parameters should be more important. Mike -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html