0

I configured a Mercurial repository on my web server using Apache and hgweb. I understand how to create new user accounts using htdigest but I'd like to know how to enable remote users to change their password. Ideally, I'd create their account with a temporary password, then send them an email inviting them to change it. Users should be able to change their own password, not those of other users (otherwise I'd simply supply them with a shell account).

Can this be done? If so, how?

Helgi
  • 5,428
  • 1
  • 31
  • 48
Gili
  • 86,244
  • 97
  • 390
  • 689
  • That's why authentication through keys is better :-) – zerkms May 22 '12 at 03:13
  • @zerkms: Link please. Doesn't this require me to use SSH authentication instead of HTTP authentication? Yes, it's more flexible, but a lot harder to configure. Alternatively, couldn't users run htdigest on their side and send me the resulting digest? – Gili May 22 '12 at 03:26
  • yes, you need ssh authentication then. And configuration is trivial with `mercurial-server` – zerkms May 22 '12 at 03:30
  • 1
    @zerkms: To quote `mercurial-server`'s website: "Running it on a non-Unix system such as Windows is not supported". I happen to be running under Windows and I expect my users will be too. – Gili May 22 '12 at 03:45
  • it is not related to the clients, only to the server – zerkms May 22 '12 at 03:51
  • @zerkms: Sorry, I should have clarified. My **server** is under Windows. – Gili May 22 '12 at 03:54
  • then probably sending you a hash generated by htdigest is the only option – zerkms May 22 '12 at 03:55
  • If you need extended functionality, why hgweb then? Have you considered using RhodeCode (http://rhodecode.org/)? – Helgi May 22 '12 at 03:59
  • @zerkms: Why does this make SSH key authentication better? Those have the exact same management problem. *Something* or *someone* needs to upload them to the server, and Mercurial won’t do it for you. – Laurens Holst May 22 '12 at 10:09
  • @Laurens Holst: not actually - with keys server administrator doesn't have private key, but to set up new password - he does need to know it – zerkms May 22 '12 at 10:23
  • @zerkms: My question is how users can manage their own passwords without the administrator's intervention. Keys are a nice alternative to htdigest but don't actually answer my question. – Gili May 22 '12 at 12:53
  • @Gili: with keys there is no reason to manage passwords at all – zerkms May 22 '12 at 20:18
  • @zerkms: If you change your private key you need to upload a new public key, right? This either requires manual admin intervention or an upload form (cf. a change password form). – Laurens Holst May 23 '12 at 10:14
  • @Laurens Holst: I cannot think of the reason for changing private key :-S – zerkms May 23 '12 at 11:24
  • 1
    Same reason as for changing your password, because it has been compromised? Unlike passwords which only exist in your mind, anyone with an opportunity to access one of your devices can steal your private key. – Laurens Holst May 23 '12 at 12:00

1 Answers1

2

Htdigest is an Apache user configuration file, and in principle managing these is outside the scope of Mercurial itself.

To provide the password change form, you would have to write your own script that manipulates the htdigest file. It shouldn’t be too difficult. As I understand it each line of this file has the format:

user:realm:MD5(user:realm:pass)

Some example code to generate the MD5 hash part of this format can be found here:

http://httpd.apache.org/docs/trunk/misc/password_encryptions.html#digest

Probably you should be able to google for some pre-made scripts that do this, although I was unfortunately not able to quickly find one. I think it is also possible to configure Apache to connect to a pre-existing database that stores passwords in this format, and handle the password management through that.

Alternatively, I would recommend to consider repository server packages such as RhodeCode or SCM-Manager which have built-in support for these kind of management tasks.

Community
  • 1
  • 1
Laurens Holst
  • 20,156
  • 2
  • 29
  • 33
  • RhodeCode and SCM-Manager both look excellent. Which is better and why? :) – Gili May 22 '12 at 13:06
  • Haven’t tried either... I think RhodeCode was there first, and it looks prettier :). – Laurens Holst May 22 '12 at 14:08
  • 1
    I just tried RhodeCode. Its major advantage (aside from looks) is that each user can manage their own password (I don't believe SCM-Manager provides this). That being said, it was a total pain to install under Windows (the build depends on Visual Studio 2008, no windows service out of the box, etc). – Gili May 26 '12 at 01:12
  • 1
    We created a detailed installation guide for installing RhodeCode on windows. http://readthedocs.org/docs/rhodecode/en/latest/installation_win.html#installation-win I hope this will make this step much easier – marcinkuzminski Jun 02 '12 at 13:05