Current state of the art in sharing repositories via SSH

Tom Anderson tom.anderson at
Wed Jun 29 06:47:22 CDT 2011

On 28 June 2011 20:15, Matt Mackall <mpm at> wrote:
> On Tue, 2011-06-28 at 19:40 +0100, Tom Anderson wrote:
>> It seems a shame that the ACL extension can't be used with a shared
>> account.
> As it happens, Mercurial (and Python) will honor the LOGNAME environment
> variable here today:
> $ LOGNAME=foo python -c 'import getpass; print getpass.getuser()'
> foo

Aha! That makes life very considerably simpler, thanks.

I've actually just got a shared login working on a local machine with
the ACL extension and a minimal amount of setup.

(1) Change /etc/ssh/sshd_config to add:

PermitUserEnvironment yes

Which enables environment option processing in the authorized_keys file.

(2) Added an entry to authorized_keys like:

ssh-rsa AAAAB3NzaC1yc2EAAAA...

And i can now do pushes operations as Bob!

This is not actually suitable for real use, though, as i can still do
anything else via ssh. It needs to have a command= to lock that down,
similar to the ones used by other methods. So, instead:

ssh-rsa AAAAB3NzaC1yc2EAAAA...

Then in ~hg/bin/

#! /bin/bash -eu
export LOGNAME=$1
[[ $# -eq 5 ]]
[[ "$1" == "hg" ]]
[[ "$2" == "-R" ]]
[[ -d "$3/.hg" ]]
[[ "$4" == "serve" ]]
[[ "$5" == "--stdio" ]]
exec "$HG" "$@"

And there we have it. A shared SSH login which uses the ACL extension.

That script could be improved in a few ways. It could somehow check
that the target repository has ACLs enabled, so that users can't touch
unsecured repositories. Or it could check that the repository was on a
master whitelist of exported repositories. If it rejects a connection,
rather than simply bombing out, it could write to stderr (for the
client) and syslog (for the admin) to say why.

Does anyone see any problems with this?

If i polished this up a bit, would it be worth adding to the wiki page
for the AclExtension and SharedSSH?


Tom Anderson         |                e2x Ltd, 1 Norton Folgate, London E1 6DB
(e) tom at    |    (m) +44 (7960) 989794    |    (f) +44 (20) 7100 3749

More information about the Mercurial mailing list