Home / server / Questions / 344096
Accepted
Brian Lacy
Asked: 2011-03-04 17:13:15 +0800 CST

Mercurial: How to setup hg-ssh with user/pass?

  • 772

I need to give certain outside developers access to create Mercurial repositories on our server. However, I don't necessarily want them to have actual SSH logins to browse the server -- or at the least, I only want to create one SSH account. I like the idea that hg-ssh based solutions involve creating a single login exclusively for Mercurial usage, but I don't really understand the process of setting this up.

I know there's something about creating an authentication key for password-less authentication, but I don't really care about that; I'd just as soon have them enter a password. Regardless, I just need this setup ASAP with minimal server access?

ssh mercurial

2 Answers

  1. Best Answer

    You must use SSH keys if you want to use hg-ssh — the restricted shell is only triggered when you log in with a SSH key. Read the header in hg-ssh for instructions on how to set it up:

    To be used in ~/.ssh/authorized_keys with the command option, see sshd(8):

    command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...

    (probably together with these other useful options: no-port-forwarding, no-X11-forwarding, no-agent-forwarding)

    This allows pull/push over SSH from/to the repositories given as arguments. If all your repositories are subdirectories of a common directory, you can allow shorter paths with:

    command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

    You can use pattern matching of your normal shell, e.g.:

    command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"
    • 1

  2. hg-ssh use a feature of SSH where you can force execution of a command and only this command when a specific SSH key is used.

    If you configured a key to execute /bin/echo "Hello, goodbye" and you startssh login@host /bin/ls` , the output will be "Hello, goodbye" and the connection will end.

    • 0