aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Joey Hess <joeyh@joeyh.name>2016-04-04 16:57:13 -0400
committerGravatar Joey Hess <joeyh@joeyh.name>2016-04-04 16:57:13 -0400
commit4f348b329b8ad0fe69500a5bfb11480b1edf0845 (patch)
tree51ce747a2f9f22e48c204c3b5aae6ae90bca2199
parentf4dc223c868f289c6cf08ce2ce3b831dc01da6dd (diff)
wording
-rw-r--r--doc/git-annex-shell.mdwn15
1 files changed, 8 insertions, 7 deletions
diff --git a/doc/git-annex-shell.mdwn b/doc/git-annex-shell.mdwn
index ae696aec3..9b3d12685 100644
--- a/doc/git-annex-shell.mdwn
+++ b/doc/git-annex-shell.mdwn
@@ -136,15 +136,16 @@ changed.
# EXAMPLES
-git-annex-shell(1) is usually called through a wrapper installed by
-the git-annex-assistant(1) in the `~/.ssh/authorized_keys` file on the
-remote host. You can also do a similar setup by adding a specific
-line with a `command=` parameter to `~/.ssh/authorized_keys` by hand.
+To make a `~/.ssh/authorized_keys` file that only allows git-annex-shell
+to be run, and not other commands, pass the original command to the -c
+option:
+
+ command="git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
-For example, the following forces the key to be read-only, run only
-git-annex commands on the given directory:
+To further restrict git-annex-shell to a particular repository,
+and fully lock it down to read-only mode:
- command="GIT_ANNEX_SHELL_DIRECTORY=/srv/annex GIT_ANNEX_SHELL_LIMITED=true GIT_ANNEX_SHELL_READONLY=true git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
+ command="GIT_ANNEX_SHELL_DIRECTORY=/srv/annex GIT_ANNEX_SHELL_LIMITED=true GIT_ANNEX_SHELL_READONLY=true git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
Obviously, `ssh-rsa AAAAB3NzaC1y[...] user@example.com` needs to
replaced with your SSH key. The above also assumes `git-annex-shell`