I create an user john
on my server and I add him into the SVN group so we can share our code and everything looks okay. Now I want to prevent this user from connecting to the console or shell via SSH. In /etc/ssh/sshd_confing
file I add this lines:
Match User john
ForceCommand svnserve -t
I would like to ask if is my configuration safe enough? SVN commands over SSH works fine. When he tries to connect, he gets:
blueprint:~ john$ ssh john@91.***.***.96 -p **5
john@91.***.***.96's password:
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) )
^CConnection to 91.***.***.96 closed.
blueprint:~ john$
I have two questions:
- Is this it? Is there a way for a
john
to login on my server on a somehow hackable way? - Does exist an option on server to return him a nice message
You do not have permission to login!
?
Best Answer
This is a correct way how to do it. I have just two points how you may additionally improve security of your SVN server.
Firstly, you can allow SSH public key authentication only. If so, you can then lock user's password with
Secondly, you can create a simple wrapper script (spawned shell is replaced with
svnserve
command) and use it withForceCommand
option which includes warning messageThen, make it executable
and use it in
sshd_config
file: