It is possible to use OpenSSH to reverse proxy to HGKeeper's SSH server. There are a number of reasons you may want to do this. You don't want to expose HGKeeper to your network or the internet, you want to use your existing OpenSSH server so you don't need to specify a different port, or maybe you have another reason we can't think of right now.
For this to work, you will need to specify the
via the command line or its environment variable counter part. If you're running
on a port other than
22222 you'll need to do the same with
You will also need
curl installed on the machine running the OpenSSH Server.
You can name this user whatever you like, but for the sake of simplicity, we
will just be using
hg here. We are also going to create an
hg group to keep
to make sure file permissions remain tight. For most Linux/BSD distributions,
you can create the
hg user and group with the following commands:
sudo groupadd --system hg sudo useradd --home-dir /var/lib/hg --create-home --system --gid hg
This is the username that you will need to specify when connecting to the OpenSSH Server and is how we will configure the server to tell it how to serve Mercurial repositories.
SSH Known Hosts
Before we update the OpenSSH Server to do the remote proxy, we need to store
the HGKeeper's public host keys in our
known_hosts file. The
easiest way to do this is to open a shell as the
hg user and use
ssh-keyscan to acquire the keys.
You can use the following commands to accomplish this. Make sure to swap in the
proper values for
<external-port> for your
sudo su hg ssh-keyscan -H <external-hostname> -p <external-port> | tee -a ~/.ssh/known_hosts
Configuring OpenSSH Server
Configuring OpenSSH Server is very straight forward. All we need to do is drop
the following snippet into
/etc/ssh/sshd_config. Of course, if you customized
hg username you will have to adjust the snippet.
You may be able to use
/etc/ssh/sshd_config.d/hgkeeper.conf but in our
testing on Debian unstable we were unable to get it working properly. If you
have some pointers here, we'd love to hear them!
In the following snippet, be sure to replace
<external-post>, and the
hg user with the proper values for your environment.
Match User hg AuthorizedKeysCommand /usr/bin/curl -q --get --data-encode "fp=%f" http://<external-hostname>:<external-http-port>/hgk/authorized_keys AuthorizedKeysCommandUser hg PasswordAuthentication no
Open you've saved the file, you will need to reload OpenSSH Server. This is
usually done via
sudo service ssh reload but will vary based on your
You should now be able to clone the
hgkeeper administration repository
through your existing OpenSSH Server. You can use the following command to
verify that everything has been setup correctly.
hg clone ssh://email@example.com/hgkeeper
If the repository cloned, you are good to go!
If that didn't work, be sure to check the logs from your OpenSSH Server as well as your HGKeeper instance, and be sure to double check your configuration.