Prevent access to some files in webserver - mercurial/ssh

Question

I have a centos server with code maintained using a mercurial repo. To allow a new person to commit code to mercurial, I create a new user, add them to the webdev group, and they can push / pull code by

hg pull ssh://name@server.com. 

However, there are some files (config files) that I would not like new users to have access to. Mercurial has been asked not to track these files, so the only way to access them is to ssh into the system and look at the files. Which I dont want new users to be able to do.

In essence, I want my new developers to only pull/push files through hg and disallow ssh-ing directly into the system. What the best way to do this? Can I provide hg access to a repo without providing ssh access to the files?

(or is my approach to the problem flawed?)

Thanks!

Answer 1

This can be really easily done by taking advantage of the command option available in .ssh\authorized_keys files. When you're granting their key access in that file you can prepend a "command=...." argument to their key and that's the only command they can run.

Mercurial ships with a handy script for doing exactly that. It has instructions inside:

https://www.mercurial-scm.org/repo/hg/file/tip/contrib/hg-ssh

Answer 2

In term of an authorization layer (similar to Gitolite for Git), you have mercurial-server (not to be mixed up with the Mercurial light-weight web server hgserve)

mercurial-server gives your developers remote read/write access to centralized Mercurial repositories using SSH public key authentication; it provides convenient and fine-grained key management and access control.

See its repository here.

It is based on the same SSH forced-command mechanism than the script mentioned by Ry4an in his answer (+1 on his answer, because it is already packaged with Mercurial).
See for illustration the "mercurial-server" source of refreshauth.py.