Bill,

Thanks, this is useful...

> Note that you can control the "user id" attached to ssh keys at
> ssh-keygen time to not contain strings which have any connection with
> "A", "B", or "C".
>
> 1) ssh from A to C, port-forwarding a local port on C back to a port
> on A which is running a secondary ssh server with access to the
> repository but not necessarily login access..

I haven't quite figured this bit out yet.  Do you mean running the ssh
server in a chroot environment, or is there a way of specifying options to
sshd?

>
> Authenticate this "outer" connection on C using a j-random public key
> with a key name unrelated to "A".
>
> 2) make an ssh connection on C to the local port forwarded in step #1.

Surely this would still require the private half of a key pair stored on
C?


What I'm really looking for is a way to have the return connection "given
the nod" by A, by virtue of the fact that it is started by a ssh session
from A?

Cheers,

David.