Re: Editing problem

[Todd Denniston]

Yves Dorfsman wrote, On 07/03/2008 09:21 AM:
> Fabio Venturi wrote:
>
> > I'm trying to setup a CVS server installed on Red Hat Linux
> > for few Windows clients using their Active Directory username and 
> > password.
> > So far so good... they authenticate on the system through Kerberos5 
> > and SSH
> > and make checkout, commit and import without any problem.
> > All the users are part of cvs group and the directory is owned by cvs 
> > user and cvs group.
> > The problem is: how can i prevent users to edit files directly in the 
> > CVS repository
> > on the server with an editor through the ssh shell?
> > Correct me if i'm wrong, but they have to modify the code only
> > doing a checkout on local machine and then a commit changes.
> > I've tried to prevent users login with ssh, but doing so also cvs is 
> > blocked.
> > Thank you in advance for any help,
> > best regards,
>
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_group.html
>
> It does not come by default with RH, but it compiles fine. You don't set 
> it up for global acces, but only for telnet and ssh and only allow a 
> small number of users (say users members of the group cvsadmin) to login 
> to the box.

Yves,
would you mind explaining how that can be used to prevent the user from 
executing programs other than cvs through the ssh connection?
I ask be cause I am interested in the capability too, but did not see (while 
reading that page) how sag-pam_group accomplished the above.

Fabio,
 From the googles I have done, I am seeing the following as options:
Authprogs:
 http://www.hackinglinuxexposed.com/articles/20030115.html
authorized_keys tweaking:
 http://www.hackinglinuxexposed.com/articles/20030109.html

ForceCommand & Match:
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config


I have not used any of them yet.


--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter