On Wed, Feb 01, 2006 at 01:17:01PM -0500, Thor Lancelot Simon wrote:
>On Tue, Jan 31, 2006 at 11:00:00PM +0100, Manuel Bouyer wrote:
>> On Sun, Jan 29, 2006 at 02:17:08PM -0500, George Georgalis wrote:
>> >    [...]
>> >    2. Currently investigating how to prevent anoncvs user,
>> >    while allowing other users, from doing agent, x11, and port
>> >    forwarding with the passwordless connection.
>> 
>> I just use 2 ssh servers: one listening on port 22 only for anoncvs
>> connections (other users are denied in config) and another ssh server on
>> another port.
>
>It is best to run the anoncvs ssh server inside a chroot.  Then you can
>dispense with most of the complexity in the openbsd anoncvssh implemenation.

Manuel's post got me thinking in that direction. chroot sounds
like the way to go.

>You can also use systrace to run the anoncvs sshd as a non-root user inside
>the chroot.

I've never heard of systrace, man page looks interesting. Will
google around and consider that option.

ATM, I'm working on a solution to get the system properly booted,
SATA/PATA drive numbering issue on another thread, how/when ever
that pans out, I'll be in a better position to look at sharing
again.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org