Prevent user access to console but still allow svn+ssh:// access to SVN repos

Question

I create an user john on my server and I add him into the SVN group so we can share our code and everything looks okay. Now I want to prevent this user from connecting to the console or shell via SSH. In /etc/ssh/sshd_confing file I add this lines:

Match User john
  ForceCommand svnserve -t

I would like to ask if is my configuration safe enough? SVN commands over SSH works fine. When he tries to connect, he gets:

blueprint:~ john$ ssh john@91.***.***.96 -p **5
john@91.***.***.96's password:
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) )

^CConnection to 91.***.***.96 closed.
blueprint:~ john$

I have two questions:

• Is this it? Is there a way for a john to login on my server on a somehow hackable way?
• Does exist an option on server to return him a nice message You do not have permission to login! ?

Answer 1

This is a correct way how to do it. I have just two points how you may additionally improve security of your SVN server.

Firstly, you can allow SSH public key authentication only. If so, you can then lock user's password with

passwd -l USERNAME

Secondly, you can create a simple wrapper script (spawned shell is replaced with svnserve command) and use it with ForceCommand option which includes warning message

cat > /usr/local/bin/svn_cmd_wrapper.sh <<EOF
#!/bin/sh -f

echo "You do not have permission to login!"
echo
exec svnserve -t
EOF

Then, make it executable

chmod u+x /usr/local/bin/svn_cmd_wrapper.sh

and use it in sshd_config file:

ForceCommand /usr/local/bin/svn_cmd_wrapper.sh