Allowing Mercurial access but disallowing SSH
I've set up a Mercurial server on a Linux machine and it works fine. Users can, for example, push and pull to it using something like:
hg push ssh://...
Users can also ssh into the server.
For some users I'd like to restrict the access to they can only access Mercurial.
How would I go about this?
Solution 1:
What you're realling asking is this. This is exactly what Gitorious does for git -- it runs via a command= entry in the ssh keys file and ensures that only git operations can be performed using the ssh key. The linked question asks about Gitorious-like software for Mercurial. Not being a Mercurial user I can't comment on the quality of the answers.
Solution 2:
Mercurial comes with a script for exactly this! Use the contrib/hg-ssh script we provide to restrict the commands. The file contains this header to explain how to use it:
To be used in
~/.ssh/authorized_keyswith thecommandoption, see sshd(8):command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...(probably together with these other useful options:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding)This allows pull/push over SSH from/to the repositories given as arguments. If all your repositories are subdirectories of a common directory, you can allow shorter paths with:
command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"You can use pattern matching of your normal shell, e.g.:
command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"