> 1) Set CVS_RSH=ssh and get machine C to connect back.  This has two
> problems: a) I'd need to have the user on machine C's keys in an
> authorized_keys file on A and, b) it won't get through the firewall.
> 
> 2) Setup a ssh to forward the pserver port.  However, I'd need to put a
> password on machine C in order to get access to A.
> 
> 3) Setup ssh to forward rsh.  I feel this is worse than 2.

Note that you can control the "user id" attached to ssh keys at
ssh-keygen time to not contain strings which have any connection with
"A", "B", or "C".

1) ssh from A to C, port-forwarding a local port on C back to a port
on A which is running a secondary ssh server with access to the
repository but not necessarily login access..

Authenticate this "outer" connection on C using a j-random public key
with a key name unrelated to "A".

2) make an ssh connection on C to the local port forwarded in step #1.

					- Bill