On Demand

You can run HGKeeper on demand to integrate it directly with an OpenSSH Server. This is accomplished by having a local user on the host, typically named hg, and telling the OpenSSH server to do something specific when that user logs in.

HGKeeper will also be run via this user and all of the repositories will belong to them in the filesystem.


When running in on demand mode HGKeeper needs to be installed in a place where OpenSSH Server can find it. However, since OpenSSH Server is also going to be running it, there are some additional requirements that must be met.

These requirements are that the program:

  • must be owned by root
  • is not writeable by group or others
  • is specified by an absolute path

Luckily for us, something like /usr/local/bin meets all of these requirements and will put it on the $PATH so that we can use it to set up the administration repository later.

So we will just copy the file to /usr/local/bin/ and make sure it has a file mode of 0755:

sudo cp hgkeeper /usr/local/bin/
sudo chown root:root /usr/local/bin/hgkeeper
sudo chmod 0755 /usr/local/bin/hgkeeper

Create The hg User

You can name this user whatever you like, but for the sake of simplicity, we will just be using hg here. We are also going to create an hg group to keep to make sure file permissions remain tight. For most Linux/BSD distributions, you can create the hg user and group with the following commands:

sudo groupadd --system hg
sudo useradd --home-dir /var/lib/hg --create-home --system --gid hg

This is the username that you will need to specify when connecting to the OpenSSH Server and is how we will configure the server to tell it how to serve Mercurial repositories.

Administration Repository

To make life easier, we're going to run the setup command as the hg user. The easiest way to do this is with the following commands:

sudo su hg
cd ~

We changed to the hg user's home directory as this is where we are going to store all of the files. The last line of output should just say hg, which we are using to verify that you did in fact switch to the hg user.

Now that we're in the proper location we can create the administration repository. For this, we'll need an SSH public key of the initial administrator saved in a file, and a name for the administrator. The name is used to determine where to put the public key and by the authentication system.

In this example, we have the administrator's SSH public key in a file named admin.pub in the current directory. We are also giving them a name of me.

hgkeeper setup --admin-pubkey=admin.pub --admin-username=me

Configuring OpenSSH Server

Configuring OpenSSH Server is very straightforward. All we need to do is drop the following snippet into /etc/ssh/sshd_config. Of course, if you customized the install location or username you will have to adjust the snippet.

You may be able to use /etc/ssh/sshd_config.d/hgkeeper.conf but in our testing on Debian unstable we were unable to get it working properly. If you have some pointers here, we'd love to hear them!

Match User hg
    AuthorizedKeysCommand /usr/local/bin/hgkeeper --repos-path=/var/lib/hg/repos/ authorized-keys "%t %k"
    AuthorizedKeysCommandUser hg
    PasswordAuthentication no

Open you've saved the file, you will need to reload OpenSSH Server. This is usually done via sudo service ssh reload but will vary based on your operating system.


You should now be able to clone the hgkeeper administration repo through your normal OpenSSH Server. You can verify this by trying to clone the hgkeeper administration repository with the following command, replacing <my hostname> with the actual hostname of your server:

hg clone ssh://<my hostname>/hgkeeper

If the repository cloned, you are good to go!

If that didn't work, be sure to double check all of your configuration.