1

I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.

I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.

My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.

Thanks

Improve this question

1 Answer 1

Reset to default
0

Run this command to locate the sftp-server binary on your server:

whereis sftp-server

Then run this command to set the user's shell to the sftp-server program, changing its location to the location discovered above:

chsh -s /usr/lib/sftp-server hg-user

Now the user will only have SFTP access to the system.

Improve this answer
2
  • 1
    (1) Changing the shell is not secure, see semicomplete.com/articles/ssh-security and (2) for hg to run via ssh, the local hg binary on the remote server should be called, not the ftpd. So I think what you offer isn't a viable solution
    – GJ.
    Commented Feb 21, 2011 at 9:30
  • @GJ: Sorry about that. There is a script included with the Mercurial distribution to aid in setting up secure SSH access to hg. It also suggests changing certain SSH settings to mitigate the issues described in your link.
    – Patches
    Commented Feb 21, 2011 at 10:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .