Remote access to mercurial repository
(2014-12-14)
When allowing others to clone a mercurial repository, it is important to organize easy and stable access, which works as well from behind a firewall. We discuss two methods from our daily pratice which allow to organize this.
Resources
Intranet access via hg serve
Mercurial has a built-in web server which allows to easily set up remote access to a repository. It is just like this (issued on myhost.institute.com):
myhost$ hg serve --daemon --port 8100This command starts the server and makes it available under the URLS
http://myhost.institute.com:8100and (being logged into system myhost)
http://localhost:8100The URL can be used to browse the repository and to clone it.
By default it is not possible to push changes to a repository published this way. Pushing has to be explicitely allowed in the config file by setting
[web]
push_ssl=false
allow_push=*A repository published this way can be read by everyone who is allowed to access port 8100 on host myhost.institute.com Moreover, this connection is unencrypted. As a consequence, this method makes sense only in an intranet with trusted users behind a firewall. It should be noted, that instead of *, a list of user names can be written, but this authentication would not be very safe.
Remote access via hg serve and ssh tunnel
From behind a firewall, there is the option to access such a repository from outside for any user who can access the intranet via ssh. Let us assume, that the host gate.institute.com is the system which allows ssh login from outside and sees myhost. Log in from your laptop mylaptop to gate.institute.com using the command
mylaptop$ ssh 5000:myhost:8100 gate.institute.comThis forwards port 8100 from myhost to mylaptop and can be accessed under the URL
http://localhost:5000It is worth to note, that, being tunneled by ssh, this connection is encrypted and can be assumed to be a safe way to access the repository from outside.
Remote access via ssh
If the repository you want to publish resides at gate.institute.com in the subdirectory myrepo, you can access it via ssh:
hg clone ssh://gate.institute.com/myrepoFor decent handling it is advisable to set up public key authentication and password free login.
Through this approach it is possible to grant remote repository access to others. If you add the public key of your colleague to your .ssh/authorized_keys file, she can clone you repository via
hg clone ssh://yourusername@gate.institute.com/myrepoHowever this would allow your colleague to access all of your data.
SSH and mercurial provide the following mechanism to fix this situation:
In the
.ssh/authorized_keysfile, it is possible to specify along with the public key of another person one single forced command which can be remotely executed by this person.With mercurial, there comes the hg-ssh command which provides the possibility to dispatch mercurial access.
Together this can be configured in .ssh/authorized_keys by prefixing the the public key of your colleague by specifying the forced command along with further security relevant access options:
command="/path/to/hg-ssh myrepo",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvyyza7e8tFrBhNMRd/3w+XL9PIeSNTUC+PcHOQI7kcfk4oTDnfysTkPleM3fM+r588sDRWKa7eivLoZ7NCF3EgMd0HUUVHjWbWZgF7KXylu4dcsDMvANH5BlgWysFqxzaTzy8CX8E03NYSkn5kqzgtnkIm+Z/QzLd4mq48oG9Ns3uPlhU4Wf2XGEqV/6EtLvHgAG/PtUP1kofO74oit2d8BH3fkU0UCMBlZqVCAoefFnR4qg3c18McK3dGhM741dpopeD3E+zaJ55AS9nIZFdbkOZNsrQR+FbzmwkqQDwQ060De5XijqdU3VD64xxHeQeFtgHG/LqAOCaUTzVtKzx fuhrmann@jfzbook.wias-berlin.deUsing the same command as above, your college now has full mercurial access to the myrepo repository. No other access to your account is possible for her. Please be aware that she accesses all files in the repository under your username. When committing, the name she specivies in her .hgrc file is recorded.
For general usage it is advisable to use a special account dedicated only to repository access which differs from your normal working account.
