diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2016-04-04 16:10:39 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2016-04-04 16:10:39 -0400 |
| commit | 1f601031806c16f32eae85f96ef61c0aef9e467e (patch) | |
| tree | 0c76a479e24e54668df9b8789f866bc6347afe5e /doc | |
| parent | b428b18ee6e3188b210525ae9341847206cb2c16 (diff) | |
| parent | cbea26ac5963f26a849cbabe4da027f3518fc52d (diff) | |
Merge branch 'master' of ssh://git-annex.branchable.com
Diffstat (limited to 'doc')
3 files changed, 31 insertions, 0 deletions
diff --git a/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn b/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn index 1cfbbb714..8a2142347 100644 --- a/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn +++ b/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn @@ -125,3 +125,5 @@ git-annex: get: 1 failed ### Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders) I seem to recall I had that working in the past, and I feel I am probably doing something stupidly wrong, but here I am. Sorry about that, I'll be sure to fix the documentation more clearly (esp. in the [[git-annex-shell]] manpage when I figure it out! --[[anarcat]] + +Well, it looks like this PEBKAC here - could have sworn I had tested the wrapper, but it seems I didn't do it properly. I'll fixup the documentation for things to be clearer, but this is basically fixed now, with a proper ~/.ssh/git-annex. I don't understand why the wrapper is necessary, but thanks for the feedback! [[done]] diff --git a/doc/forum/Restricting_git-annex-shell_to_a_specific_repository/comment_6_b3a0db1c2f11770b7c6f13964f2d1784._comment b/doc/forum/Restricting_git-annex-shell_to_a_specific_repository/comment_6_b3a0db1c2f11770b7c6f13964f2d1784._comment new file mode 100644 index 000000000..bd0fdd0d0 --- /dev/null +++ b/doc/forum/Restricting_git-annex-shell_to_a_specific_repository/comment_6_b3a0db1c2f11770b7c6f13964f2d1784._comment @@ -0,0 +1,7 @@ +[[!comment format=mdwn + username="anarcat" + subject="clarified manpage" + date="2016-04-04T20:00:39Z" + content=""" +i have (hopefully) clarified the [[git-annex-shell]] manpage to clearly state how to setup a restricted repository. hopefully, that will avoid further mistakes. :) i am still unclear as to why the wrapper script is necessary, but that's a different issue. --[[anarcat]] +"""]] diff --git a/doc/git-annex-shell.mdwn b/doc/git-annex-shell.mdwn index 3ac9926ed..502a1358a 100644 --- a/doc/git-annex-shell.mdwn +++ b/doc/git-annex-shell.mdwn @@ -134,6 +134,28 @@ changed. If set, git-annex-shell will refuse to run commands that do not operate on the specified directory. +# EXAMPLES + +git-annex-shell(1) is usually called through a wrapper installed by the git-annex-assistant(1) in the `~/.ssh/authorized_keys` file on the remote host. To make such a setup manually, you will need the following wrapper installed in `~/.ssh/git-annex-shell`: + + #!/bin/sh + + set -e + if [ "x$SSH_ORIGINAL_COMMAND" != "x" ]; then + exec /usr/bin/git-annex-shell -c "$SSH_ORIGINAL_COMMAND" + else + exec /usr/bin/git-annex-shell -c "$@" + fi + +Then restrictions can be implemented to specific SSH keys using the +`command=` parameter. For example, the following forces the key to be +read-only, run only git-annex commands on the given directory: + + command="GIT_ANNEX_SHELL_DIRECTORY=/srv/annex GIT_ANNEX_SHELL_LIMITED=true GIT_ANNEX_SHELL_READONLY=true ~/.ssh/git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com + +Obviously, `ssh-rsa AAAAB3NzaC1y[...] user@example.com` needs to +replaced with your SSH key. + # SEE ALSO [[git-annex]](1) |