+
−hg-admin-tools version 0.1
+
−
+
−A set of tools for managing authorization and access control for
+
−ssh-based Hg repositories
+
−
+
−Paul Crowley, paul@lshift.net, 2008-04-15
+
−
+
−This software may be used and distributed according to the terms
+
−of the GNU General Public License, incorporated herein by reference.
+
−
+
−INSTRUCTIONS FOR USE:
+
−
+
−This is only one setup - it can be tweaked in many ways, and is as
+
−specific as it is only in the interests of brevity.
+
−
+
−You, and all users of your Hg repository, will need SSH public key
+
−authentication set up, preferably working with ssh-agent so you don't
+
−have to type in your passphrase all the time.  I assume you've done
+
−that in what follows, so if you've done something different you'll
+
−need to change it appropriately.
+
−
+
−Create a user called "hg" on the machine where the repository will
+
−live.  I used the command
+
−
+
−  sudo adduser --system --shell /bin/sh --group --disabled-password \
+
−    --gecos "Mercural repository" hg
+
−
+
−Now create a basic access control setup.  
+
−
+
−   cd
+
−   mkdir hg
+
−   cd hg
+
−   hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools
+
−   mkdir -p hgadmin/keys/admin
+
−   cd hgadmin
+
−   ssh-add -L > keys/admin/myname
+
−   echo "init admin/* *" > hg-ssh-access.conf
+
−   hg init .
+
−   hg add
+
−   hg commit -m "Initial configuration"
+
−
+
−You can use whatever you want in place of "myname" and indeed "admin".
+
−The files in ~/hg must be readable by the hg user.  Issue these
+
−commands to become the hg user and set up the repository
+
−
+
−   sudo -u hg -s
+
−   cd ~hg
+
−   mkdir admin repos
+
−   hg clone ~/hg/hg-admin-tools admin/hg-admin-tools
+
−   hg clone ~/hg/hgadmin repos/hgadmin
+
−   cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc
+
−   cp admin/hg-admin-tools/hg-ssh-wrapper hg-ssh-wrapper
+
−   cd repos/hgadmin
+
−   ../../admin/hg-admin-tools/refresh-auth
+
−    exit
+
−
+
−You should now have SSH access to this repository and full control,
+
−which you can test like so:
+
−
+
−   cd ~/hg/hgadmin
+
−   echo "[paths]" >> .hg/hgrc
+
−   echo "default = ssh://hg@localhost/hgadmin"  >> .hg/hgrc
+
−   hg pull
+
−   hg push
+
−
+
−These attempts to push and pull should report no new changes but
+
−otherwise work.
+
−
+
−You can now add other users by putting their keys in an appropriate
+
−subdirectory of the "keys" directory, and control their access by
+
−editing hg-ssh-access.conf.  Changes will take effect as soon as you
+
−push them to the remote ssh server.
+
−
+
−Each line of hg-ssh-access.conf has the following syntax:
+
−
+
−<rule> <keypattern> <repositorypattern>
+
−
+
−The "rule" is either "init", "allow", or "deny".  "keypattern" is a
+
−glob pattern matched against the name of the key used - for example,
+
−in our initial setup "admin/myname" matches "admin/*".
+
−"repositorypattern" is a pattern matched againt the repository name -
+
−so "hgadmin" matches "*".  Only boring characters are allowed in
+
−patterns and key and repository names - see the source for details.
+
−Blank lines and lines that start with "#" are ignored.
+
−
+
−