hello darcs developers

I wanted to setup a darcs repo on a server where security is much
emphasized and i did not want to use pushing via email for various
reasons.
Currently, as described in http://wiki.darcs.net/DarcsWiki/RepoViaSSH,
darcs seems to use several commands over ssh: darcs, scp, cd and
sftp-server are "whitelisted" by a perl script. As this script will be
bypassed easily, it is currently not possible to use darcs securely via ssh.

If darcs used only one command (i.e. "darcs"), ssh could be configured
to just allow this one command. This or any other method of offering
darcs rw access without giving out machine accounts would be much
appreciated.

This is useful in a setting where several developers are to be granted
pushing privileges on a repository, but are not trusted enough to be
given full ssh access and using email is not desired.

Thanks,
johann

-----------------

context in #darcs:

18:01 < twb> You can also limit an ssh keys to a single command in
authorized_keys
18:01 < Heffalump> twb: that "obscure perl script" seems to be designed
to do that, I'm not sure why "raw darcs" isn't suitable for that but it
may well not be
18:01 < cupe> Heffalump: i think it's because darcs uses more than one
command
18:02 < cupe> darcs, scp, cd, sftp-server
18:02 < Heffalump> oh, right
18:02 < twb> It does?  That sucks.
18:02 < cupe> if that wasn't the case, i would not have any problems :)
18:02 < cupe> yep
18:03 < twb> IIUC rsync just boots a remote rsync process with a "be a
listener" switch
18:03 < twb> Also, cd is not a command
18:03 < twb> darcs should use darcs --repodir rather than cd'ing
18:04 < twb> Thereby avoiding the need for a shell process.
18:05 < cupe> yep, that would be nice
18:05 < cupe> although there is still scp involved
18:06 < twb> Theoretically there's no reason darcs --server --repodir
couldn't exec scp based on commands it receives from stdin
18:07 < twb> I suggest you file a wishlist bug
18:10 < cupe> i'll do that

This is really a documentation request.  As long as darcs2 is installed on both
sides, darcs only executes two commands via ssh, and I see no reason to reduce
that to one.

David

I am confused by the difference between the number of commands (or otherwise) 
mentioned in the original report (darcs, scp, cd, sftp-server are mentioned, 
possibly inspired by the description in http://wiki.darcs.net/DarcsWiki/RepoViaSSH) and the 2 commands mentioned by 
droundy. So could a volunteer please look into this to ensure that the issue is 
fully understood? Following that, we need a decision on what to do about it.

Thanks and best regards
Thorkil

If you have darcs 2 on both ends, darcs *only* invokes the darcs command (over
ssh), and does at most twice: once for darcs transfer-mode, and once for darcs
apply (darcs push only)

So the volunteer should just document this fact

See also issue1515

I commented out the whitelisting of sftp-server and scp on
http://wiki.darcs.net/RepoViaSSH

While I was at it, I added a disclaimer pointing out that this is not
officially endorsed by the Darcs Team (since I have no idea if that
actually was secure or not; I dimly recall some complaints about that page?)

So we still need a volunteer to verify and comment on the page in general.