A Private Mac Mercurial Server with SSH Key Authentication

-
Now, a private Mac Mercurial server with SSH key authentication was set up.


I already pushed my main project to the server and updated it at the server side, so repository migration has started without a hitch. But I didn't migrate the subprojects of the main project and some lingering/untended/rogue projects to the server, because they have their own choices of VCSs or none at all: I already smells a trouble, a delicious one. I know there are inter-VCS plugins out there for Mecurial, I'm looking forward using them.


So, assuming you have an administrative privilege, here are instructions of how to set up a private SSH Mercurial server.


Equip Yourself Head to Toe


First, install MacPorts at the server side. That will save a lot and lot of time in the future. If you prefer, you can also get a GUI app for MacPorts, such as Porticus or Pallet. But personally, if you decided to put yourself into these sever thingies, you should get accustomed to CLI: these GUI apps do not provide all the info CLI can provide.

After the installation, in Terminal.app at the server side, type:
sudo port selfupdate
sudo port install mercurial +bash_completion
sudo mkdir -p <repo_base_dir>
sudo chown -R <username> <repo_base_dir>
sudo chmod 750 <repo_base_dir>
  1. Updates the MacPorts system.
  2. Install Mercurial with a Bash command completion capability.
  3. Create a base directory <repo_base_dir> to contain Mercurial central repositories (e.g. ~/hg-repos).
  4. Change the ownership of the base directory tree to <username>. Because this is for a private Mercurial server setup, <username> can just be your account's user name at the server side.
  5. Change the permission of <repo_base_dir>. The owner (you) have full permission, group have only read and execute permissions, and the other does not have any permission at all.

You Got My Back, SSH

System Preferences » Sharing

Now, go to System Preferences » Sharing, and turn on "Remote Login." It will make OS maintain a SSH daemon, meaning SSH becomes active. And now, SFTP is also active.

Now, back to the client side. Password authentication is considered highly insecure, so let's use public/private key authentication: it's something like a split tally in a digital and non-human-friendly form.
cp -R ~/.ssh ~/.ssh.bk
cd ~/.ssh
ssh-keygen -t rsa -b 8192
/usr/bin/ssh-add -K <path_to_private_key_file>
  1. Create a backup of SSH resources for precaution. If "~/.ssh" does not exist, create one by mkdir ~/.ssh.
  2. Change the current directory to "~/.ssh" .
  3. Start a ssh-keygen interactive session creating a 8192-bit RSA key pair. Key generation takes some time, so be patient here (it's not alarmingly long though). When you are asked the base filename for private and public key files, you can just use the default, or distinguish it from ones from existing key pairs. And finally, set a passphrase for an additional security.
  4. Register the generated RSA key pair to the SSH authentication agent. You are asked to type the passphrase of the RSA key pair, and hopefully this will be the last time you type it: it's registered to Mac OS X's "Keychain Access.app," saving us from typing it system-wide (Mac OS X 10.5 Leopard or later?).

Now, you should have a public key file (e.g. id_rsa.pub). Execute the following command:
sftp <remote_host_user_name>@<hg_server>
cd ~/.ssh
put <pub_key_file>
exit
  1. Start a SFTP session. <remote_host_user_name> must be the user name you chose at the line 4 of the previous snippet. <hg_server> is the host name or IP address of the Mercurial server.
  2. Change the current directory to "~/.ssh" . If it does not exist, create one by mkdir ~/.ssh.
  3. Upload the public key file <pub_key_file> to the Mercurial server.
  4. Exit the SFTP session.

Final Push


So, the end is nigh.
ssh <remote_host_user_name>@<hg_server>
cp -R ~/.ssh ~/.ssh.bk
cd ~/.ssh
cat <pub_key_file> >> authorized_keys
sudo perl -i.bk -pe "s/^[#\s\t]*(RSAAuthentication|PubkeyAuthentication)[\t\s]+(yes|no)/\1 yes/; s/^[#\s\t]*(AuthorizedKeysFile)[\t\s]+.*/\1 \.ssh\/authorized_keys/" /etc/sshd_config
exit
  1. Start a SSH session just like the last SFTP session.
  2. Again like in the client side, backup "~/.ssh" for precaution.
  3. Change the current directory to "~/.ssh" .
  4. Concatenate the public key file <pub_key_file> to the end of "authorized_keys" .
  5. Edit the configuration file of the SSH daemon using Perl's regex functionality. Authentication using a RSA key is enabled, and the file containing public keys of authorized users is specified. The old configuration file is backed up with name suffix ".bk" .
  6. Exit the SSH session.

Phew, finally!
Now, you can use something like the following:
hg init ssh://<username>@<hg_server>/<base_path>/<new_repo>
hg clone ssh://<username>@<hg_server>/<base_path>/<repo>

A relative or absolute path can be used in <base_path>. For a relative path, the working directory is the home directory of <username>. When you use an absolute path, it will look like ssh://Shig@hg-server.org//Users/Shig/hg-repos/test.hg.

Hmm, I feel something's missing. Oh yeah, a conclusion… Ahem, this is the end of this article.

Comments

Post a Comment

Popular posts from this blog

Hardcoding Data Like Images and Sounds into HTML or CSS

-
Image
Do you know Data URI scheme ? With this, you can hardcode virtually any kind of digital information media into a document. Okay, "virtually any kind of" was a little bit unreasonable; "almost all browser-supported" is appropriate, such as images, sounds and movies. The format below defines a data URI (we need to use safe URL characters; see also " Recommendations for Delimiting URI in Context " for delimiting a long URI): data:[<MIME-type>][;charset=<encoding>][;base64],<data> URL is used to locate various resources, for example web browsers can't live without these URLs, and URI is a conceptual superset of URL. And protocols defined by data URI scheme provide a standardized way to hardcode certain data, such as JPEG, PNG, MP3, Ogg etc. With this scheme we can hardcode data inside virtually all kinds of source code from interpreted languages like HTML, XML, CSS, JS, Ruby, PHP or even from compiled languages like C, C++,
« Read More »

Make It Work: Global .gitattributes

-
Image
Git is the vanguard of distributed VCSs, and as a matter of course, it provide a way to perform diff or merge on certain files while intermediately treating them as documents of a certain other format. By reflecting appropriate changes to configuration and attributes of git as described in " Git - Git Attributes ," you can set up this intermediate conversion for files of your choice while in diff or merge process. This is best described with an example. Say, there exists a file format called "property list" (hereinafter plist) in Mac, and it can come in 3 forms: XML, binary or JSON (it's not exactly JSON, but is similar to it). To perform diff or merge on files of this type in a consistent way, use command plutil  provided by Mac OS X (or an open-source, GPL-licensed alternative libplist ). Then take the following 2 steps.
« Read More »

Xcode: Easy Shared & Static Lib Management and Linking

-
Image
In Xcode, you can add existing frameworks (binary shared/static libraries or Apple's packaged framework) to a target in your project by choosing from the framework list or drag'n'drop from Finder. Several libraries under "Frameworks" group (e.g. libBusted.a) Benefit of doing this is obvious: you can manage and see what libraries your program is linked to. However, after doing that, I noticed one thing. Xcode does not link shared/static libraries in a simple way like: gcc -o qux libfoo.dylib libbar.a buz.o Instead, when libraries are going to be added, Xcode obtains paths to the directories containing these libraries, and appends these to the build setting "Library Search Path" of the target. So that the actual linking looks like: gcc -L/path/to/foobar -o qux -lfoo libbar.a buz.o Compared to the former, even though orthodox, linking in the latter is indirect. I like the former method because it's simple and error-free even though it somewh
« Read More »