Re: Editing problem

[Yves Dorfsman]

Todd Denniston wrote:
> Yves Dorfsman wrote, On 07/03/2008 09:21 AM:
> > Fabio Venturi wrote:
> >
> > > I'm trying to setup a CVS server installed on Red Hat Linux
> > > for few Windows clients using their Active Directory username and 
> > > password.
> > > So far so good... they authenticate on the system through Kerberos5 
> > > and SSH
> > > and make checkout, commit and import without any problem.
> > > All the users are part of cvs group and the directory is owned by cvs 
> > > user and cvs group.
> > > The problem is: how can i prevent users to edit files directly in the 
> > > CVS repository
> > > on the server with an editor through the ssh shell?
> > > Correct me if i'm wrong, but they have to modify the code only
> > > doing a checkout on local machine and then a commit changes.
> > > I've tried to prevent users login with ssh, but doing so also cvs is 
> > > blocked.
> > > Thank you in advance for any help,
> > > best regards,
> >
> > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_group.html 
> >
> >
> > It does not come by default with RH, but it compiles fine. You don't 
> > set it up for global acces, but only for telnet and ssh and only allow 
> > a small number of users (say users members of the group cvsadmin) to 
> > login to the box.
>
> would you mind explaining how that can be used to prevent the user from 
> executing programs other than cvs through the ssh connection?
> I ask be cause I am interested in the capability too, but did not see 
> (while reading that page) how sag-pam_group accomplished the above.


Fabio says his users authenticate through kerberos, so I assumed gssapi, 
maybe I got that wrong.... If you do use gssapi, then you do not use ssh for 
the cvs connection at all, then it is not an issue to disable ssh connection 
for users that only need to use the box via cvs, rather than log in.


--
Yves.
http://www.SollerS.ca