f54bf3ba06
Mercurial repositories using SSH public key authentication; it provides convenient and fine-grained key management and access control. All of the repositories controlled by mercurial-server are owned by a single user (the "hg" user in what follows), but many remote users can act on them, and different users can have different permissions. We don't use file permissions to achieve that - instead, developers log in as the "hg" user when they connect to the repository host using SSH, using SSH URLs of the form "ssh://hg@repository-host/repository-name". A restricted shell prevents them from using this access for unauthorized purposes. Developers are authenticated only using SSH keys; no other form of authentication is supported. To give a user access to the repository, place their key in an appropriately-named subdirectory of "/usr/lcoal/etc/mercurialserver/keys" and run "refresh-auth". You can then control what access they have to what repositories by editing the control file "/usr/local/etc/mercurialserver/access.conf", which can match the names of these keys against a glob pattern. For convenient remote control of access, you can instead (if you have the privileges) make changes to a special repository called "hgadmin", which contains its own "access.conf" file and "keys" directory. Changes pushed to this repository take effect immediately. The two "access.conf" files are concatenated, and the keys directories merged. WWW: http://www.lshift.net/mercurial-server.html PR: ports/151993 Submitted by: Aldis Berjoza <aldis at bsdroot.lv>
28 lines
1.5 KiB
Text
28 lines
1.5 KiB
Text
mercurial-server gives your developers remote read/write access to centralized
|
|
Mercurial repositories using SSH public key authentication; it provides
|
|
convenient and fine-grained key management and access control.
|
|
|
|
All of the repositories controlled by mercurial-server are owned by a single
|
|
user (the "hg" user in what follows), but many remote users can act on them,
|
|
and different users can have different permissions. We don't use file
|
|
permissions to achieve that - instead, developers log in as the "hg" user
|
|
when they connect to the repository host using SSH, using SSH URLs of the
|
|
form "ssh://hg@repository-host/repository-name". A restricted shell prevents
|
|
them from using this access for unauthorized purposes. Developers
|
|
are authenticated only using SSH keys; no other form of authentication is
|
|
supported.
|
|
|
|
To give a user access to the repository, place their key in an
|
|
appropriately-named subdirectory of "/usr/lcoal/etc/mercurialserver/keys"
|
|
and run "refresh-auth". You can then control what access they have to what
|
|
repositories by editing the control file
|
|
"/usr/local/etc/mercurialserver/access.conf", which can match the names of
|
|
these keys against a glob pattern.
|
|
|
|
For convenient remote control of access, you can instead (if you have the
|
|
privileges) make changes to a special repository called "hgadmin", which
|
|
contains its own "access.conf" file and "keys" directory. Changes pushed to
|
|
this repository take effect immediately. The two "access.conf" files are
|
|
concatenated, and the keys directories merged.
|
|
|
|
WWW: http://www.lshift.net/mercurial-server.html
|