# HG changeset patch # User Paul Crowley # Date 1208442970 -3600 # Node ID 524b4a45ef0a16d5574e41f54b780454f096074e # Parent 21d9048136dcda5a5131d9058baff17d55651d4e wrap overlong lines diff -r 21d9048136dc -r 524b4a45ef0a README --- a/README Thu Apr 17 11:55:04 2008 +0100 +++ b/README Thu Apr 17 15:36:10 2008 +0100 @@ -10,13 +10,20 @@ INSTRUCTIONS FOR USE: -This is only one setup - it can be tweaked in many ways, and is as specific as it is only in the interests of brevity. - -You, and all users of your Hg repository, will need SSH public key authentication set up, preferably working with ssh-agent so you don't have to type in your passphrase all the time. I assume you've done that in what follows, so if you've done something different you'll need to change it appropriately. +This is only one setup - it can be tweaked in many ways, and is as +specific as it is only in the interests of brevity. -Create a user called "hg" on the machine where the repository will live. I used the command +You, and all users of your Hg repository, will need SSH public key +authentication set up, preferably working with ssh-agent so you don't +have to type in your passphrase all the time. I assume you've done +that in what follows, so if you've done something different you'll +need to change it appropriately. -sudo adduser --system --shell /bin/sh --group --disabled-password --gecos "Mercural repository" hg +Create a user called "hg" on the machine where the repository will +live. I used the command + + sudo adduser --system --shell /bin/sh --group --disabled-password \ + --gecos "Mercural repository" hg Now create a basic access control setup. @@ -32,7 +39,9 @@ hg add hg commit -m "Initial configuration" -You can use whatever you want in place of "myname" and indeed "admin". The files in ~/hg must be readable by the hg user. Issue these commands to become the hg user and set up the repository +You can use whatever you want in place of "myname" and indeed "admin". +The files in ~/hg must be readable by the hg user. Issue these +commands to become the hg user and set up the repository sudo -u hg -s cd ~hg @@ -45,7 +54,8 @@ ../../admin/hg-admin-tools/refresh-auth exit -You should now have SSH access to this repository and full control, which you can test like so: +You should now have SSH access to this repository and full control, +which you can test like so: cd ~/hg/hgadmin echo "[paths]" >> .hg/hgrc @@ -53,14 +63,24 @@ hg pull hg push -These attempts to push and pull should report no new changes but otherwise work. +These attempts to push and pull should report no new changes but +otherwise work. -You can now add other users by putting their keys in an appropriate subdirectory of the "keys" directory, and control their access by editing hg-ssh-access.conf. Changes will take effect as soon as you push them to the remote ssh server. +You can now add other users by putting their keys in an appropriate +subdirectory of the "keys" directory, and control their access by +editing hg-ssh-access.conf. Changes will take effect as soon as you +push them to the remote ssh server. -hg-ssh-access.conf has the following syntax: +Each line of hg-ssh-access.conf has the following syntax: -The "rule" is either "init", "allow", or "deny". "keypattern" is a glob pattern matched against the name of the key used - for example, in our initial setup "admin/myname" matches "admin/*". "repositorypattern" is a pattern matched againt the repository name - so "hgadmin" matches "*". Only boring characters are allowed in patterns and key and repository names - see the source for details. Blank lines and lines that start with "#" are ignored. +The "rule" is either "init", "allow", or "deny". "keypattern" is a +glob pattern matched against the name of the key used - for example, +in our initial setup "admin/myname" matches "admin/*". +"repositorypattern" is a pattern matched againt the repository name - +so "hgadmin" matches "*". Only boring characters are allowed in +patterns and key and repository names - see the source for details. +Blank lines and lines that start with "#" are ignored. diff -r 21d9048136dc -r 524b4a45ef0a hg-ssh --- a/hg-ssh Thu Apr 17 11:55:04 2008 +0100 +++ b/hg-ssh Thu Apr 17 15:36:10 2008 +0100 @@ -11,14 +11,18 @@ # of the GNU General Public License, incorporated herein by reference. """ -hg-ssh - limit access to hg repositories reached via ssh. Part of hg-admin-tools. +hg-ssh - limit access to hg repositories reached via ssh. Part of +hg-admin-tools. This script is called by hg-ssh-wrapper with two arguments: hg-ssh -It expects to find the command the SSH user was trying to run in the environment variable -SSH_ORIGINAL_COMMAND, and uses it to determine what the user was trying to do and to what repository, and then checks each rule in the rule file in turn for a matching rule which decides what to do, defaulting to disallowing the action. +It expects to find the command the SSH user was trying to run in the +environment variable SSH_ORIGINAL_COMMAND, and uses it to determine +what the user was trying to do and to what repository, and then checks +each rule in the rule file in turn for a matching rule which decides +what to do, defaulting to disallowing the action. """ # enable importing on demand to reduce startup time @@ -89,6 +93,7 @@ rulefile = sys.argv[1] keyname = sys.argv[2] -todispatch = get_cmd(rulefile, keyname, os.environ.get('SSH_ORIGINAL_COMMAND', '?')) +todispatch = get_cmd(rulefile, keyname, + os.environ.get('SSH_ORIGINAL_COMMAND', '?')) dispatch.dispatch(todispatch) diff -r 21d9048136dc -r 524b4a45ef0a hg-ssh-wrapper --- a/hg-ssh-wrapper Thu Apr 17 11:55:04 2008 +0100 +++ b/hg-ssh-wrapper Thu Apr 17 15:36:10 2008 +0100 @@ -1,18 +1,22 @@ #!/bin/sh -# This file needs to be saved as ~/hg-ssh-wrapper for the user whose ~/.ssh/authorized_keys file -# is rewritten by refresh-auth. It expects to be specified as the target of the "command" section -# in the prefix of a key in the authorized_keys file, and be passed a name associated with an -# ssh key as its only argument. It does some setting up before calling hg-ssh, which does the real -# work of deciding whether to allow the users action based on the type of the action, the key name, -# and the contents of the specified rules file. +# This file needs to be saved as ~/hg-ssh-wrapper for the user whose +# ~/.ssh/authorized_keys file is rewritten by refresh-auth. It expects +# to be specified as the target of the "command" section in the prefix +# of a key in the authorized_keys file, and be passed a name associated +# with an ssh key as its only argument. It does some setting up before +# calling hg-ssh, which does the real work of deciding whether to allow +# the users action based on the type of the action, the key name, and +# the contents of the specified rules file. -# If your repository is laid out differently you may need to modify this file. +# If your repository is laid out differently you may need to modify +# this file. set -e # Use a different hgrc for remote pulls - this way you can set # up notify for everything at once without affecting local operations +# # HGRCPATH=$(pwd)/remote-hgrc # export HGRCPATH