May 26, 2018

Software for hosting mercurial repositories

mercurial-server gives your developers remote read/write access to centralized Mercurial repositories using SSH public key authentication; it provides convenient and fine-grained key management and access control.

All of the repositories controlled by mercurial-server are owned by a single user the “hg” user in what follows, but many remote users can act on them, and different users can have different permissions. We don’t use file permissions to achieve that - instead, developers log in as the “hg” user when they connect to the repository host using SSH, using SSH URLs of the form “ssh//hg@repository-host/repository-name”. A restricted shell prevents them from using this access for unauthorized purposes. Developers are authenticated only using SSH keys; no other form of authentication is supported.

To give a user access to the repository, place their key in an appropriately-named subdirectory of “/usr/lcoal/etc/mercurialserver/keys” and run “refresh-auth”. You can then control what access they have to what repositories by editing the control file “/usr/local/etc/mercurialserver/access.conf”, which can match the names of these keys against a glob pattern.

For convenient remote control of access, you can instead if you have the privileges make changes to a special repository called “hgadmin”, which contains its own “access.conf” file and “keys” directory. Changes pushed to this repository take effect immediately. The two “access.conf” files are concatenated, and the keys directories merged.

WWW http//