doc/how-it-works
branchdebian
changeset 115 731a72b742db
parent 112 3035990989ee
equal deleted inserted replaced
99:e99262dfa950 115:731a72b742db
     1 HOW IT WORKS
     1 HOW IT WORKS
     2 
     2 
     3 When a developer attempts to connect to a repository via ssh, the SSH daemon
     3 When a developer attempts to connect to a repository via ssh, the SSH
     4 searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the
     4 daemon searches for a match for that user's key in
     5 developer is authorised to connect to the repository they will have an entry
     5 ~hg/.ssh/authorized_keys. If the developer is authorised to connect to the
     6 in this file. The entry includes a "command" prefix which specifies that the
     6 repository they will have an entry in this file. The entry includes a
     7 restricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; this
     7 "command" prefix which specifies that the restricted shell
     8 shell is passed an argument identifying the developer. The shell parses the
     8 "/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is
     9 command the developer is trying to execute, and consults a rules file to see
     9 passed an argument identifying the developer. The shell parses the command
    10 if that developer is allowed to perform that action on that repository.
    10 the developer is trying to execute, and consults a rules file to see if
       
    11 that developer is allowed to perform that action on that repository.
    11 
    12 
    12 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
    13 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
    13 recurses through two directories of files containing SSH keys and generates an
    14 recurses through two directories of files containing SSH keys and generates
    14 entry in authorized_keys for each one, using the name of the key file as the
    15 an entry in authorized_keys for each one, using the name of the key file as
    15 identifier for the developer. These keys will live in the "keys" subdirectory
    16 the identifier for the developer. These keys will live in the "keys"
    16 "/etc/mercurial-server" and the "keys" subdirectory of a repository called
    17 subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a
    17 "hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent
    18 repository called "hgadmin". A hook in this repository re-runs
    18 version after every push.
    19 "refresh-auth" on the most recent version after every push.
    19 
    20 
    20 Finally, hook in an extension is run for each changeset that is remotely
    21 When users try to commit new changesets, a hook is run which consults the
    21 committed, which uses the rules file to determine whether to allow the
    22 rules file to decide whether to allow the changeset into the repository.
    22 changeset.
    23 This can depend not only on the user and the repository, but also the
       
    24 branch and files in the changeset.