Installing Mercurial Server and Using SSH Authorization

A few days ago, I was assigned the task of raising a mercurial repository on one of the local machines, and set one condition - mandatory authorization via SSH. Installation will be performed using the Mercurial Server on a 64-bit server Ubunt.

Installing Mercurial Server

The first thing that came to mind was the installation from the repositories. Updating packages and running the command:

apt-get install -y mercurial-server 

I found that version 1.0.1-1 was installed, which is not the latest.
A deb-package with version 1.2-1 was found on the official website , which was installed by the command

 dpkg -i mercurial-server_1.2-1_all.deb 

Setting up SSH for key authentication

Because I wanted all the keys of users who have access to the server via ssh to be stored in one place, then the following line was added to the / etc / ssh / sshd_config file:
AuthorizedKeysFile /etc/ssh/keys/%u.pub
It means that the key files should be stored in the / etc / ssh / keys / folder and look like username.pub

Configuring Mercurial Server

Mercurial Server configs home directory is located in / var / lib / mercurial-server . We are interested in the .mercurial-server file, which is where the main server configuration is stored. There you can change the paths to repositories, directories with public keys, etc. Because my repositories are moved to another disk, then I changed the repos variable accordingly.
Users are divided into two groups: root (have full rights to all repositories, including the creation) and users (have the right to pull and push).
The keys of the users who should have access to the server should be placed in the / etc / mercurial-server / keys / users folder, and the keys of the administrators should be placed / etc / mercurial-server / keys / root .
')

Hgadmin special repository

After the server is installed, the hgadmin service repository is automatically created in which you can store user and administrator keys. This is very convenient, because There is no need to manually upload user keys.
The structure is exactly the same as in the system, i.e. The keys are stored in / hgadmin / keys / users and / hgadmin / keys / root for users and administrators, respectively.
You can also store the access.conf file , which is responsible for user access rights.

Final setting

Since the default hg user access keys are stored in ~ / .ssh / authorized_keys, we need to create a symbolic link in the / etc / ssh / keys / directory. To do this, run the command:

  ln -s /var/lib/mercurial-server/.ssh/authorized_keys /etc/ssh/keys/hg.pub 

After we put the key in / etc / mercurial-server / keys, you need to update the access rights, for this you need to run the following command:

 sudo -u hg /usr/share/mercurial-server/refresh-auth 

If keys were added using hgadmin, then the changes take effect automatically.

Accessing the repository with TortoiseHg

The first step is to download Pageant, it will transfer a private key to TortoiseHg if necessary. For convenience, I wrote bat'nik, which starts at system startup. Its meaning is to add a private key to Pageant.
start pageant.exe node.ppk

After starting pageant, all that remains is to clone the repository.
We clone the special hgadmin repository with the command:
hg clone ssh://hg@server/hgadmin

You can create a new repository with the command:
hg init ssh://hg@server/myrep

useful links

• The official website of the Mercurial Server
• PuTTY official website