On Tue, Dec 09, 2008 at 01:07:00AM -0800, R. Tyler Ballance wrote:
> Accounts set up with keys for Gitosis are given restricted accounts
> (from my understanding similar to how CVS or SVN operate over SSH
> tunnels).
I don't think I've ever seen a CVS used with "virtual"
restricted-shell accounts.
The svnserve --tunnel-user= support for that mode of operation was
written by me, and is basically exactly the same trick as the one used
by gitosis.
Before gitosis, I had my old SVN setup pretty much reproduced with
git, but then I got bored administering it and wrote gitosis to
automate account and access management.
I am not aware of anyone ever finding a way to get around an svnserve
--tunnel-user= setup. I'm not losing my sleep over the security of
this concept.
Use an SSH gateway if you want tighter control on who gets where,
network-wise. Then you won't get non-git login attempts from the
external net.
Or run an extra SSH service, e.g. using Conch. As long as it respects
~ssh and is interoperable with OpenSSH, gitosis should work just fine.
It can even run as the git user 100% of the time.
--
:(){ :|:&};:
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
