doc/how-it-works
changeset 163 8d73bcd75243
parent 162 1c0bc7d33648
child 164 32131253c2f1
equal deleted inserted replaced
162:1c0bc7d33648 163:8d73bcd75243
     1 HOW IT WORKS
       
     2 
       
     3 When a developer attempts to connect to a repository via ssh, the SSH
       
     4 daemon searches for a match for that user's key in
       
     5 ~hg/.ssh/authorized_keys. If the developer is authorised to connect to the
       
     6 repository they will have an entry in this file. The entry includes a
       
     7 "command" prefix which specifies that the restricted shell
       
     8 "/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is
       
     9 passed an argument identifying the developer. The shell parses the command
       
    10 the developer is trying to execute, and consults a rules file to see if
       
    11 that developer is allowed to perform that action on that repository.
       
    12 
       
    13 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
       
    14 recurses through two directories of files containing SSH keys and generates
       
    15 an entry in authorized_keys for each one, using the name of the key file as
       
    16 the identifier for the developer. These keys will live in the "keys"
       
    17 subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a
       
    18 repository called "hgadmin". A hook in this repository re-runs
       
    19 "refresh-auth" on the most recent version after every push.
       
    20 
       
    21 When users try to commit new changesets, a hook is run which consults the
       
    22 rules file to decide whether to allow the changeset into the repository.
       
    23 This can depend not only on the user and the repository, but also the
       
    24 branch and files in the changeset.