author | Paul Crowley <paul@lshift.net> |
Tue, 13 Oct 2009 18:21:22 +0100 | |
branch | debian |
changeset 116 | d99f3169828a |
parent 112 | 3035990989ee |
permissions | -rw-r--r-- |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
1 |
HOW IT WORKS |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
100 | 3 |
When a developer attempts to connect to a repository via ssh, the SSH |
4 |
daemon searches for a match for that user's key in |
|
5 |
~hg/.ssh/authorized_keys. If the developer is authorised to connect to the |
|
6 |
repository they will have an entry in this file. The entry includes a |
|
7 |
"command" prefix which specifies that the restricted shell |
|
8 |
"/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is |
|
9 |
passed an argument identifying the developer. The shell parses the command |
|
10 |
the developer is trying to execute, and consults a rules file to see if |
|
11 |
that developer is allowed to perform that action on that repository. |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
12 |
|
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
13 |
The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which |
100 | 14 |
recurses through two directories of files containing SSH keys and generates |
15 |
an entry in authorized_keys for each one, using the name of the key file as |
|
16 |
the identifier for the developer. These keys will live in the "keys" |
|
17 |
subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a |
|
18 |
repository called "hgadmin". A hook in this repository re-runs |
|
19 |
"refresh-auth" on the most recent version after every push. |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
20 |
|
112 | 21 |
When users try to commit new changesets, a hook is run which consults the |
22 |
rules file to decide whether to allow the changeset into the repository. |
|
23 |
This can depend not only on the user and the repository, but also the |
|
24 |
branch and files in the changeset. |