SSH refuses to grant CVS-only access

[fonz]

Howdy,

I'd like to give a few project members CVS access (and only that, no shell logins) to my repository via SSH. However, access is only granted when they have actual login shells. If I set their login shells to /sbin/nologin they can't get in. I have added the following to /etc/ssh/sshd_config, but it Doesn't Work (tm).

Match Group sshcvs
   AllowAgentForwarding no
   AllowTcpForwarding no
   ForceCommand cvs server

Any ideas?

Fonz

 

[pbd]

Set their shell to /bin/sh.

Directive ForceCommand won't let them run anything else.

 

[gordon@]

Or better yet, write a shell wrapper that will validate the command line and only fork off that command (this is what the FreeBSD project does).

 

[fonz]

Thanks guys. Because of pbd's remark I noticed the following in sshd_config(5): The command is invoked by using the user's login shell with the -c option.

I may have taken the slightly longer road by writing my own version of /sbin/nologin in C, rather than a shell script as Gordon suggested, but it does work now.

Problem solved

Fonz