HOW IT WORKSWhen a developer attempts to connect to a repository via ssh, the SSH daemonsearches for a match for that user's key in ~hg/.ssh/authorized_keys. If thedeveloper is authorised to connect to the repository they will have an entryin this file. The entry includes a "command" prefix which specifies that therestricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; thisshell is passed an argument identifying the developer. The shell parses thecommand the developer is trying to execute, and consults a rules file to seeif that developer is allowed to perform that action on that repository.The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", whichrecurses through two directories of files containing SSH keys and generates anentry in authorized_keys for each one, using the name of the key file as theidentifier for the developer. These keys will live in the "keys" subdirectory"/etc/mercurial-server" and the "keys" subdirectory of a repository called"hgadmin". A hook in this repository re-runs "refresh-auth" on the most recentversion after every push.Finally, hook in an extension is run for each changeset that is remotelycommitted, which uses the rules file to determine whether to allow thechangeset.