# SSH refuses to grant CVS-only access



## fonz (Jun 27, 2011)

Howdy,

I'd like to give a few project members CVS access (and only that, no shell logins) to my repository via SSH. However, access is only granted when they have actual login shells. If I set their login shells to /sbin/nologin they can't get in. I have added the following to /etc/ssh/sshd_config, but it Doesn't Work (tm).

```
Match Group sshcvs
   AllowAgentForwarding no
   AllowTcpForwarding no
   ForceCommand cvs server
```

Any ideas?

Fonz


----------



## pbd (Jun 27, 2011)

Set their shell to /bin/sh.

Directive ForceCommand won't let them run anything else.


----------



## gordon@ (Jun 27, 2011)

Or better yet, write a shell wrapper that will validate the command line and only fork off that command (this is what the FreeBSD project does).


----------



## fonz (Jun 27, 2011)

Thanks guys. Because of pbd's remark I noticed the following in sshd_config(5): _The command is invoked by using *the user's login shell* with the -c option._

I may have taken the slightly longer road by writing my own version of /sbin/nologin in C, rather than a shell script as Gordon suggested, but it does work now.

Problem solved 

Fonz


----------

