doc/how-it-works
changeset 83 86ec1268d306
child 100 db219a5a14f8
equal deleted inserted replaced
82:7369ff737684 83:86ec1268d306
       
     1 HOW IT WORKS
       
     2 
       
     3 When a developer attempts to connect to a repository via ssh, the SSH daemon
       
     4 searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the
       
     5 developer is authorised to connect to the repository they will have an entry
       
     6 in this file. The entry includes a "command" prefix which specifies that the
       
     7 restricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; this
       
     8 shell is passed an argument identifying the developer. The shell parses the
       
     9 command the developer is trying to execute, and consults a rules file to see
       
    10 if that developer is allowed to perform that action on that repository.
       
    11 
       
    12 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
       
    13 recurses through two directories of files containing SSH keys and generates an
       
    14 entry in authorized_keys for each one, using the name of the key file as the
       
    15 identifier for the developer. These keys will live in the "keys" subdirectory
       
    16 "/etc/mercurial-server" and the "keys" subdirectory of a repository called
       
    17 "hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent
       
    18 version after every push.
       
    19 
       
    20 Finally, hook in an extension is run for each changeset that is remotely
       
    21 committed, which uses the rules file to determine whether to allow the
       
    22 changeset.