equal
deleted
inserted
replaced
|
1 HOW IT WORKS |
|
2 |
|
3 When a developer attempts to connect to a repository via ssh, the SSH daemon |
|
4 searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the |
|
5 developer is authorised to connect to the repository they will have an entry |
|
6 in this file. The entry includes a "command" prefix which specifies that the |
|
7 restricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; this |
|
8 shell is passed an argument identifying the developer. The shell parses the |
|
9 command the developer is trying to execute, and consults a rules file to see |
|
10 if that developer is allowed to perform that action on that repository. |
|
11 |
|
12 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which |
|
13 recurses through two directories of files containing SSH keys and generates an |
|
14 entry in authorized_keys for each one, using the name of the key file as the |
|
15 identifier for the developer. These keys will live in the "keys" subdirectory |
|
16 "/etc/mercurial-server" and the "keys" subdirectory of a repository called |
|
17 "hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent |
|
18 version after every push. |
|
19 |
|
20 Finally, hook in an extension is run for each changeset that is remotely |
|
21 committed, which uses the rules file to determine whether to allow the |
|
22 changeset. |