NetBSD Developer Documentation: Developer Restricted Shell Access
For security reasons, developer access on cvs.NetBSD.org has been restricted to the following commands:
Restricted Shell Commands
Restricted Shell Commands
cvs server
This allows you to use CVS (CVS in
client/server mode invokes cvs server on the
remote side to do its processing).
passwd
This allows you to change your password
interactively. Remember that you have to use ssh -t
so that your password does not get echoed on the screen.
This feature currently serves no purpose.
pwstore
This allows you to set your initial Kerberos password.
Remember that you have to use ssh -t
so that your password does not get echoed on the screen.
update_my_keys
This command allows you to manage your
.ssh/authorized_keys file on
cvs.NetBSD.org using RCS.
You can feed it a new authorized_keys
on stdin, and it will store the old file using RCS, and then
install the new set of keys. It should be invoked as
“ssh cvs.NetBSD.org
update_my_keys”, with the new
authorized_keys file passed to it on
stdin. It will not accept null input (deletion of all keys)
unless it is invoked as update_my_keys -d.
WARNING:
The update_my_keys command
replaces the current
authorized_keys file.
Any keys not in the file you supply
will be deleted.
NOTE:
The update_my_keys command only updates keys on
cvs.NetBSD.org, not on any other TNF hosts.
Because there is a limit of line length on UNIX tty
driver with line-editing enabled, it is safe to do
“stty -icanon” to disable
line-editing before invoking update_my_keys.
Don't forget to re-enable line-editing by doing
“stty icanon”
in such a case.
If you make an error, you can ask the admin group to
restore an older authorized_keys file
for you. But because a restoration request needs to be
signed by PGP, you must commit your
PGP key to the repository before doing
update_my_keys.
rsync --server --daemon
This command requires rsync 2.5.6 or newer. It allows
you to run rsync in daemon mode over an SSH connection. Your
login shell will adjust any rsync command line to force the
use of an rsync daemon configuration file that will only
allow you to read /cvsroot,
using module name cvsroot.
So, you invoke rsync like this (for example):
rsync -avS --delete -e ssh <login>@cvs.NetBSD.org::cvsroot/src .
This command will connect to cvs.NetBSD.org using ssh
as user loginname, invoke the rsync daemon, and
fetch the src subdirectory of the
cvsroot module, which of course
corresponds to /cvsroot/src.
If you want to rsync the entire repository, take care
not to sync CVSROOT/history.*.xz and
CVSROOT/commitlog.*.xz by specifying options
--exclude 'history.*.xz' and
--exclude 'commitlog.*.xz',
unless you want to engage in historical studies.
The sum of these files is >8.5GB.
Back to NetBSD Developer Documentation