Fossil SCM

Fixed a few minor errors in the new http-over-ssh.md doc and added a memorial to a fallen hero.

wyoung 2021-09-19 03:55 trunk
Commit 9d4a13276110757b0cc42286f6b1e7a7507aec576f6bb23230e6a9cde6e078b6
Parent bc08b0972ab558b…
1 file changed +6 -4
~ www/server/any/http-over-ssh.md
M www/server/any/http-over-ssh.md
+6 -4
--- www/server/any/http-over-ssh.md
+++ www/server/any/http-over-ssh.md
@@ -42,15 +42,17 @@
4242
 a `Match` block of some sort.
4343
4444
 You could instead list the exceptions:
4545
4646
 ``` ssh-config
47
- Match User !edie
47
+ Match User !evi
4848
 ```
4949
50
-This would permit only Edie the System Administrator to bypass this
50
+This would permit only [Evi the System Administrator][evi] to bypass this
5151
 mechanism.
52
+
53
+[evi]: https://en.wikipedia.org/wiki/Evi_Nemeth
5254
5355
 If you have a user that needs both interactive SSH shell access *and*
5456
 Fossil access, exclude that user from the `Match` rule and use Fossil’s
5557
 normal `ssh://` URL scheme for those cases. This user will bypass the
5658
 Fossil RBAC, but they effectively have Setup capability on those
@@ -89,11 +91,11 @@
8991
 `../` and such to prevent a sandbox escape.
9092
9193
 4. Don’t take the user name via the SSH command; to this author’s mind,
9294
 the user should not get to override their Fossil user name on the
9395
 remote server, as that permits impersonation. The identity you
94
- preset to the SSH server must be the same identity that the Fossil
96
+ present to the SSH server must be the same identity that the Fossil
9597
 repository you’re working with knows you by. Since the users
9698
 selected by “`Match`” block above are dedicated to using only Fossil
9799
 in this setup, this restriction shouldn’t present a practical problem.
98100
99101
 The script’s shebang line assumes `/bin/sh` is POSIX-compliant, but that
@@ -113,11 +115,11 @@
113115
114116
 This presumes your local user name matches the remote user name. Unlike
115117
 with `http[s]://` URLs, you don’t have to provide the `USER@` part to
116118
 get authenticated access
117119
 since this scheme doesn’t permit anonymous cloning. Only
118
-if two names are different do you need to add the `USER@` bit to the
120
+if these two user names are different do you need to add the `USER@` bit to the
119121
 URL.
120122
121123
122124
 ## 3. Set permissions <a id="perms"></a>
123125
124126
--- www/server/any/http-over-ssh.md
+++ www/server/any/http-over-ssh.md
@@ -42,15 +42,17 @@
42 a `Match` block of some sort.
43
44 You could instead list the exceptions:
45
46 ``` ssh-config
47 Match User !edie
48 ```
49
50 This would permit only Edie the System Administrator to bypass this
51 mechanism.
 
 
52
53 If you have a user that needs both interactive SSH shell access *and*
54 Fossil access, exclude that user from the `Match` rule and use Fossil’s
55 normal `ssh://` URL scheme for those cases. This user will bypass the
56 Fossil RBAC, but they effectively have Setup capability on those
@@ -89,11 +91,11 @@
89 `../` and such to prevent a sandbox escape.
90
91 4. Don’t take the user name via the SSH command; to this author’s mind,
92 the user should not get to override their Fossil user name on the
93 remote server, as that permits impersonation. The identity you
94 preset to the SSH server must be the same identity that the Fossil
95 repository you’re working with knows you by. Since the users
96 selected by “`Match`” block above are dedicated to using only Fossil
97 in this setup, this restriction shouldn’t present a practical problem.
98
99 The script’s shebang line assumes `/bin/sh` is POSIX-compliant, but that
@@ -113,11 +115,11 @@
113
114 This presumes your local user name matches the remote user name. Unlike
115 with `http[s]://` URLs, you don’t have to provide the `USER@` part to
116 get authenticated access
117 since this scheme doesn’t permit anonymous cloning. Only
118 if two names are different do you need to add the `USER@` bit to the
119 URL.
120
121
122 ## 3. Set permissions <a id="perms"></a>
123
124
--- www/server/any/http-over-ssh.md
+++ www/server/any/http-over-ssh.md
@@ -42,15 +42,17 @@
42 a `Match` block of some sort.
43
44 You could instead list the exceptions:
45
46 ``` ssh-config
47 Match User !evi
48 ```
49
50 This would permit only [Evi the System Administrator][evi] to bypass this
51 mechanism.
52
53 [evi]: https://en.wikipedia.org/wiki/Evi_Nemeth
54
55 If you have a user that needs both interactive SSH shell access *and*
56 Fossil access, exclude that user from the `Match` rule and use Fossil’s
57 normal `ssh://` URL scheme for those cases. This user will bypass the
58 Fossil RBAC, but they effectively have Setup capability on those
@@ -89,11 +91,11 @@
91 `../` and such to prevent a sandbox escape.
92
93 4. Don’t take the user name via the SSH command; to this author’s mind,
94 the user should not get to override their Fossil user name on the
95 remote server, as that permits impersonation. The identity you
96 present to the SSH server must be the same identity that the Fossil
97 repository you’re working with knows you by. Since the users
98 selected by “`Match`” block above are dedicated to using only Fossil
99 in this setup, this restriction shouldn’t present a practical problem.
100
101 The script’s shebang line assumes `/bin/sh` is POSIX-compliant, but that
@@ -113,11 +115,11 @@
115
116 This presumes your local user name matches the remote user name. Unlike
117 with `http[s]://` URLs, you don’t have to provide the `USER@` part to
118 get authenticated access
119 since this scheme doesn’t permit anonymous cloning. Only
120 if these two user names are different do you need to add the `USER@` bit to the
121 URL.
122
123
124 ## 3. Set permissions <a id="perms"></a>
125
126

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button