Differences between revisions 1 and 40 (spanning 39 versions)
Revision 1 as of 2005-12-22 19:17:40
Size: 6244
Editor: MarcSchaefer
Comment:
Revision 40 as of 2009-12-18 14:20:23
Size: 2540
Editor: ciphergoth
Comment: Now mercurial-server ahs a web page, link to that.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
As described on MultipleCommitters, one way of collaboration (the CVS-like model)
is setting up a central repository every user pushes his changes to and pulls
the others' changes from. This page describes how to create such repositories
accessible via a shared ssh account.
This page describes how to create repositories
accessible via a '''single shared ssh account''' without needing to give full shell access
to other people. That's just one of many ways to make your repository available to MultipleCommitters, and not necessarily the most common. See PublishingRepositories for a good overview of many ways to allow others to interact with your repository.
Line 6: Line 5:
    '''Note:''' The following instructions describe the very personal setup we
    use on our system. I decided to add this page because the configuration
    described here a) works for mercurial out of the box and b) solves some
    problems from [http://www.kitenet.net/~joey/sshcvs/]: In particular, it
    allows distinguishing multiple committers and a (crude) form of permissions.
    It is most probably neither the best nor the most elegant way and I don't
    promise anything more than that it works for me.
    --- MarcSchaefer
== mercurial-server ==
Line 15: Line 7:
== How this works == /!\ This is not '''''the''' mercurial server''. This is a piece of software for effectively letting a single shared ssh account be safely used by multiple people. If you're just looking to make your repository available read PublishingRepositories for a list of options.
Line 17: Line 9:
When accessing a remote repository via mercurial's ssh repository type, ''hg'' mercurial-server provides the most complete and easiest-to-use solution to this problem for hosting a collection of repositories on Unix systems. Installing mercurial-server creates a new user, "hg", which will own all the repositories to be shared. Giving access to a new user is as simple as adding their SSH key to a special repository and pushing the changes. mercurial-server can enforce fine-grained permissions and logs all events.

 * [[http://www.lshift.net/mercurial-server.html]]

  mercurial-server is descended from hg-ssh.

== hg-ssh ==

  hg-ssh is a python script available in [[http://www.selenic.com/repo/hg-stable/raw-file/tip/contrib/hg-ssh|contrib/hg-ssh]] and was probably installed along with your mercurial software. Allowed repositories are managed directly in the authorized_keys file.

  Look at the start of the script for usage instructions. When possible use the version that matches your installed version of mercurial.


== hg-login ==

  HgLogin is a system by MarcSchaefer for creating restricted shared user accounts.

== How these work ==

When accessing a remote repository via Mercurial's ssh repository type, ''hg''
Line 21: Line 32:
$ ssh remote.server hg -R /path/to/repos serve --stdio $ ssh hg.example.com hg -R /path/to/repos serve --stdio
Line 26: Line 37:
can do all the sanity checks we want and then execs ''hg'' just like ssh would can do all the sanity checks we want and then calls ''hg'' just like ssh would
Line 28: Line 39:
his own entry in authorized_keys, which allows the script to distinguish his own entry in authorized_keys, which allows the scripts to distinguish
Line 31: Line 42:
== Setting up the shared SSH account == See also AclExtension, HgWebDirStepByStep, PublishingRepositories, and MultipleCommitters
Line 33: Line 44:
The first step is creating a dedicated user on the server side -- let's call
it ''mercurial''. Nobody should be able to log into this account with a
password, so set the password field in the /etc/passwd to *. It needs a valid
shell though, since sshd always calls scripts through the shell. Then, copy
the ''hg-login'' script at the end of this page into the home directory
and create a directory ''repositories'', which will contain (wait for it)
the repositories (duh).

Note that everybody with read/write permissions to the ''repository'' directory
can read/write to the repositories directly, so you might want to prevent
that.

== Allowing connections from a user ==

Every user needs his own public/private key (see the manpage of ''ssh-keygen''
for how to create one). Append it to ''~mercurial/.ssh/authorized_keys''
on the server side, prefixed with some options to grant access to mercurial only.
More precisely, every line has to look like this:

{{{
command="/home/mercurial/hg-login [user]",no-port-forwarding,no-X11-forwarding,no-pty ssh-[type] [key]
}}}

Here ''[user]'' is an identifier which will later be used for granting
access to a repository, ''[type]'' is dsa or rsa depending on the key type
and ''[key]'' is the key itself, followed by an optional comment.

On every connect, the user must be able to present the corresponding
private key, for example by adding it to his ssh-agent.

== Creating repositories and setting permissions ==

Creating a shared repository is simple: Just initialise it in ''repositories''
like every other repository. However, nobody will be able to access it unless
you grant them permission. To allow a user to access the repository
''~mercurial/repositories/<repos>'', create a file
''~mercurial/repositories/<repos>.allow''
which contains his username (the one from ''authorized_keys'') alone on a line.

Note that it is not possible to only grant read rights -- it's full access
or nothing.

== The hg-login script ==

The following is a (Perl) script (sorry ;) ) to mediate the access to the
shared repositories. It first of all checks the supplied username and the
command that is to be executed for sanity (usernames must be alphanumeric,
starting with a letter), then normalises and checks the repository path
(creating subdirectories in ''repositories'' is allowed, but file names
must match ^[a-zA-Z0-9][a-zA-Z0-9-:+.]$). Only if these checks pass
and the desired repository exists and allows access by the user, the
server process is started.

{{{
#!/usr/bin/perl -w -T
use strict;

$ENV{PATH} = '/usr/local/bin:/usr/bin:/bin';

my $hg = '/usr/local/bin/hg';
my $repositories = '/home/mercurial/repositories';

# The following character classes describe the allowed user-
# and repository names. Note that we forbid all path constituents
# which begin with a dot -- look ma, no directory traversal.

my $r_user = qr#[a-zA-Z][a-zA-Z0-9]*#;
my $r_file = qr#[a-zA-Z0-9][a-zA-Z0-9-:+.]*#;

# The username is given as the first argument (from command=
# in authorized_keys), sshd is kind enough to pass the requested
# command as an environment variable.

my $user_in = $ARGV[0];
my $cmd_in = $ENV{SSH_ORIGINAL_COMMAND} || '';

# First, basic sanity checking on the username. The assignment
# is necessary to convince Perl that the username is no longer
# tainted.

defined $user_in
    or die "No username given.\n";
my ($user) = $user_in =~ /^($r_user)$/
    or die "Invalid username `$user_in'.}n";

# The command passed by hg has a very specific structure: Check that.

my ($repos) = $cmd_in =~ m#^hg -R (\S+) serve --stdio$#
    or die "Invalid command `$cmd_in' requested.\n";

# Now for the repository path: We assume that it consists of $r_files
# separated by slashes. Leading and trailing ones are ignored.

s#^/+##, s#/+$##, s#/+#/#g for $repos;

my $path = '';
foreach my $file_in (split m#/#, $repos) {
    my ($file) = $file_in =~ /^($r_file)$/
        or die "Invalid repository path `$repos'";
    $path .= "/$file";
}

# Only the toplevel-directory of every mercurial repository contains
# a subdir `.hg'.

-d "$repositories/$path/.hg" or die "No such repository `$path'.\n";

# Now for permissions ...

open my $perms, '<', "$repositories/$path.allow"
    or die "No such repositoriy `$path'.\n";

chomp( my @allowed_in = <$perms> );

close $perms;

my $allowed = '';
$user eq $_ and $allowed = 1 for @allowed_in;
$allowed or die "No such repository `$path'.\n";

# Ok, everything is in order: go for it.

exec $hg, '-R', "$repositories/$path", 'serve', '--stdio';
die "Unable to exec `hg' on repository `$path' ($!)\n";
}}}
----
CategoryWeb CategoryHowTo

This page describes how to create repositories accessible via a single shared ssh account without needing to give full shell access to other people. That's just one of many ways to make your repository available to MultipleCommitters, and not necessarily the most common. See PublishingRepositories for a good overview of many ways to allow others to interact with your repository.

mercurial-server

/!\ This is not the mercurial server. This is a piece of software for effectively letting a single shared ssh account be safely used by multiple people. If you're just looking to make your repository available read PublishingRepositories for a list of options.

mercurial-server provides the most complete and easiest-to-use solution to this problem for hosting a collection of repositories on Unix systems. Installing mercurial-server creates a new user, "hg", which will own all the repositories to be shared. Giving access to a new user is as simple as adding their SSH key to a special repository and pushing the changes. mercurial-server can enforce fine-grained permissions and logs all events.

hg-ssh

  • hg-ssh is a python script available in contrib/hg-ssh and was probably installed along with your mercurial software. Allowed repositories are managed directly in the authorized_keys file. Look at the start of the script for usage instructions. When possible use the version that matches your installed version of mercurial.

hg-login

How these work

When accessing a remote repository via Mercurial's ssh repository type, hg basically does a

$ ssh hg.example.com hg -R /path/to/repos serve --stdio

and relies on ssh for authentication and tunneling. When using public key authentication, ssh allows limiting the user to one specific command, which can do all the sanity checks we want and then calls hg just like ssh would in the example above. Note that every user gets his own private key and his own entry in authorized_keys, which allows the scripts to distinguish between different users and thus enforce e.g. access permissions.

See also AclExtension, HgWebDirStepByStep, PublishingRepositories, and MultipleCommitters


CategoryWeb CategoryHowTo

SharedSSH (last edited 2020-05-03 08:02:54 by timeless)