New submission from Johann Korndoerfer <cupe-***@erleuchtet.org>:

hello darcs developers

I wanted to setup a darcs repo on a server where security is much
emphasized and i did not want to use pushing via email for various
reasons.
Currently, as described in http://wiki.darcs.net/DarcsWiki/RepoViaSSH,
darcs seems to use several commands over ssh: darcs, scp, cd and
sftp-server are "whitelisted" by a perl script. As this script will be
bypassed easily, it is currently not possible to use darcs securely via ssh.

If darcs used only one command (i.e. "darcs"), ssh could be configured
to just allow this one command. This or any other method of offering
darcs rw access without giving out machine accounts would be much
appreciated.

This is useful in a setting where several developers are to be granted
pushing privileges on a repository, but are not trusted enough to be
given full ssh access and using email is not desired.

Thanks,
johann

-----------------

context in #darcs:

18:01 < twb> You can also limit an ssh keys to a single command in
authorized_keys
18:01 < Heffalump> twb: that "obscure perl script" seems to be designed
to do that, I'm not sure why "raw darcs" isn't suitable for that but it
may well not be
18:01 < cupe> Heffalump: i think it's because darcs uses more than one
command
18:02 < cupe> darcs, scp, cd, sftp-server
18:02 < Heffalump> oh, right
18:02 < twb> It does? That sucks.
18:02 < cupe> if that wasn't the case, i would not have any problems :)
18:02 < cupe> yep
18:03 < twb> IIUC rsync just boots a remote rsync process with a "be a
listener" switch
18:03 < twb> Also, cd is not a command
18:03 < twb> darcs should use darcs --repodir rather than cd'ing
18:04 < twb> Thereby avoiding the need for a shell process.
18:05 < cupe> yep, that would be nice
18:05 < cupe> although there is still scp involved
18:06 < twb> Theoretically there's no reason darcs --server --repodir
couldn't exec scp based on commands it receives from stdin
18:07 < twb> I suggest you file a wishlist bug
18:10 < cupe> i'll do that

----------
messages: 5040
nosy: beschmi, cupe-darcs, dagit, tommy
status: unread
title: wishlist bug: enable using darcs securely via ssh

__________________________________
Darcs bug tracker <***@darcs.net>
<http://bugs.darcs.net/issue922>
__________________________________

One also needs to ensure darcs doesn't run any user submitted hooks. I
have thought it would be a nice feature for darcs to have a general
purpose '--untrusted' flag, which will disable anything that allows
execution of arbitrary code (all hooks, tests, and whatnot). that way
we can pass just that one flag in scripts and not have to worry that
some other hook, test code, or execution path will be added in the
future that we didn't explicitly disable.

John

Eric Kow <***@darcs.net> added the comment:

I commented out the whitelisting of sftp-server and scp on
http://wiki.darcs.net/RepoViaSSH

While I was at it, I added a disclaimer pointing out that this is not
officially endorsed by the Darcs Team (since I have no idea if that
actually was secure or not; I dimly recall some complaints about that page?)

So we still need a volunteer to verify and comment on the page in general.

__________________________________
Darcs bug tracker <***@darcs.net>
<http://bugs.darcs.net/issue923>
__________________________________