1 HOW IT WORKS |
1 HOW IT WORKS |
2 |
2 |
3 When a developer attempts to connect to a repository via ssh, the SSH daemon |
3 When a developer attempts to connect to a repository via ssh, the SSH |
4 searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the |
4 daemon searches for a match for that user's key in |
5 developer is authorised to connect to the repository they will have an entry |
5 ~hg/.ssh/authorized_keys. If the developer is authorised to connect to the |
6 in this file. The entry includes a "command" prefix which specifies that the |
6 repository they will have an entry in this file. The entry includes a |
7 restricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; this |
7 "command" prefix which specifies that the restricted shell |
8 shell is passed an argument identifying the developer. The shell parses the |
8 "/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is |
9 command the developer is trying to execute, and consults a rules file to see |
9 passed an argument identifying the developer. The shell parses the command |
10 if that developer is allowed to perform that action on that repository. |
10 the developer is trying to execute, and consults a rules file to see if |
|
11 that developer is allowed to perform that action on that repository. |
11 |
12 |
12 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which |
13 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which |
13 recurses through two directories of files containing SSH keys and generates an |
14 recurses through two directories of files containing SSH keys and generates |
14 entry in authorized_keys for each one, using the name of the key file as the |
15 an entry in authorized_keys for each one, using the name of the key file as |
15 identifier for the developer. These keys will live in the "keys" subdirectory |
16 the identifier for the developer. These keys will live in the "keys" |
16 "/etc/mercurial-server" and the "keys" subdirectory of a repository called |
17 subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a |
17 "hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent |
18 repository called "hgadmin". A hook in this repository re-runs |
18 version after every push. |
19 "refresh-auth" on the most recent version after every push. |
19 |
20 |
20 Finally, hook in an extension is run for each changeset that is remotely |
21 Finally, hook in an extension is run for each changeset that is remotely |
21 committed, which uses the rules file to determine whether to allow the |
22 committed, which uses the rules file to determine whether to allow the |
22 changeset. |
23 changeset. |