doc/how-it-works
author Paul Crowley <paul@lshift.net>
Mon, 12 Oct 2009 16:25:02 +0100
changeset 107 84e9e33d866b
parent 100 db219a5a14f8
child 112 3035990989ee
permissions -rw-r--r--
Fixes, plus base64 what you don't trust
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
HOW IT WORKS
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
100
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     3
When a developer attempts to connect to a repository via ssh, the SSH
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     4
daemon searches for a match for that user's key in
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     5
~hg/.ssh/authorized_keys. If the developer is authorised to connect to the
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     6
repository they will have an entry in this file. The entry includes a
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     7
"command" prefix which specifies that the restricted shell
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     8
"/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     9
passed an argument identifying the developer. The shell parses the command
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    10
the developer is trying to execute, and consults a rules file to see if
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    11
that developer is allowed to perform that action on that repository.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
100
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    14
recurses through two directories of files containing SSH keys and generates
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    15
an entry in authorized_keys for each one, using the name of the key file as
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    16
the identifier for the developer. These keys will live in the "keys"
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    17
subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    18
repository called "hgadmin". A hook in this repository re-runs
db219a5a14f8 share not lib in docs
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    19
"refresh-auth" on the most recent version after every push.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    20
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
Finally, hook in an extension is run for each changeset that is remotely
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    22
committed, which uses the rules file to determine whether to allow the
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    23
changeset.