commit c167432e009e807556a97fe8c2c74362a726e9a7
from: Stefan Sperling <stsp@stsp.name>
date: Sun Jan 29 20:28:26 2023 UTC

gotsh.1: show how to set up anonymous public read-only repository access

commit - 71a61c8ccc19248c397974fbd63b952d2665771c
commit + c167432e009e807556a97fe8c2c74362a726e9a7
blob - 8e552939759f9d99f850f531a4a7041b8aaa2956
blob + 31b832c10983c3262cc2a110a8f259513541fd34
--- gotsh/gotsh.1
+++ gotsh/gotsh.1
@@ -95,7 +95,7 @@ directives such as the following are recommended to pr
 machine and any systems reachable from it, especially if anonymous users
 are allowed to connect:
 .Bd -literal -offset indent
-Match User anonymous
+Match User developer
     DisableForwarding yes
     PermitTTY no
 .Ed
@@ -108,6 +108,34 @@ Match Group developers
     DisableForwarding yes
     PermitTTY no
 .Ed
+.Pp
+Anonymous users can be given public read-only access by using a
+.Xr gotd.conf 5
+access rule such as the following:
+.Bd -literal -offset indent
+repository "public" {
+	path "/var/git/public.git"
+	permit ro anonymous
+}
+.Ed
+.Pp
+The anonymous user account should have a publicly known password, or can be
+set up with an empty password in which case the user's
+.Xr vipw 8
+entry would look similar to this example:
+.Bd -literal
+anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh
+.Ed
+.Pp
+Use of an empty password must be explicitly allowed in
+.Xr sshd_config 5 :
+.Bd -literal -offset indent
+Match User anonymous
+    PasswordAuthentication yes
+    PermitEmptyPasswords yes
+    DisableForwarding yes
+    PermitTTY no
+.Ed
 .Sh SEE ALSO
 .Xr got 1 ,
 .Xr ssh 1 ,