On Tue, Jan 31, 2006 at 11:00:00PM +0100, Manuel Bouyer wrote:
> On Sun, Jan 29, 2006 at 02:17:08PM -0500, George Georgalis wrote:
> >    [...]
> >    2. Currently investigating how to prevent anoncvs user,
> >    while allowing other users, from doing agent, x11, and port
> >    forwarding with the passwordless connection.
> 
> I just use 2 ssh servers: one listening on port 22 only for anoncvs
> connections (other users are denied in config) and another ssh server on
> another port.

It is best to run the anoncvs ssh server inside a chroot.  Then you can
dispense with most of the complexity in the openbsd anoncvssh implemenation.

You can also use systrace to run the anoncvs sshd as a non-root user inside
the chroot.

Thor