SSH scripts

Ludovic Chabant ludovic at chabant.com
Sun Jan 27 04:43:36 UTC 2019


I'm replying to myself after some experimentation, in case anybody
was curious.

> 1.  I need to support read/write vs. read-only access. The hg-ssh
>     script adds hooks on the fly to reject pushes. Instead of doing
>     that, could I patch the hg command (which looks like "hg -R
>     /path/to/repo serve -- stdio") by adding a "--web-conf
>     reject.conf" at the end?

When `hg serve` has `--stdio` as an argument, the command dispatcher
gets super strict and _only_ allows `hg -R /path/to/repo serve --stdio`,
and nothing else. It's kinda weird to me since people who want to secure
their SSH access could check those arguments before it reaches
Mercurial, so I don't know why it's done there, but anyway, we can't
pass anything else. See
https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/dispatch.py#l299


> 2. Why do we need the "prepushkey" hook? Wouldn't the "pretxnopen"
>    hook be sufficient to gate any writing operation to the repo?

This I got no idea -- the tests I did where I'm trying to push various
things seems to always get caught by "pretxnopen" already.


> 3. The documentation for "hg serve" indicates that it refuses push by
>    default, yet, the "hg serve" that's run through SSH seems to allow
>    it... how come?

This seems to be because, again, the `--stdio` argument actually runs "hg serve" in a completely different way that it's usually run. See https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/commands.py#l5264
(it runs an SSH-specific version of the command server, so I assume it's pull/push by default)


In the end, I'm using the contrib/hg-ssh script but it's kinda sad because the environment I'm in is Python3 so I have to shell out to a different process (running Python2) to make it work. I hear there's good progress on Mercurial on Python3 though so hopefully that's temporary.

-- 
 l u d o .
 . 8 0 17 80



More information about the Mercurial mailing list