Hello, I'm testing sr.ht locally and I had some issues with the mercurial service. My testing machine runs Alpine Linux 3.17, I've installed *sr.ht packages as described in documentation. After installing the hg.sr.ht package, tweaking /etc/sr.ht/config.ini and initializing the database with provided schema I started the needed services with rc-service(8). I've also modified the nginx config to match my configuration. The mercurial web service worked correctly, I was able to create new empty repository. When it came to cloning and pushing to that repository, I faced some issues. First of all, the dedicated 'hg' user's account is disabled, which is expected for a system user like this. Because of that 'hg clone' command failed with this message (the actual domain replaced with example.com for privacy reasons): ``` remote: email@example.com: Permission denied (publickey,keyboard-interactive). abort: no suitable response from remote hg ``` In /var/log/messages I found these lines: ``` Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: User hg not allowed because account is locked Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Connection closed by invalid user hg x.x.x.x port xxxxx [preauth] ``` Maybe my sshd is not configured correctly, but here are relevant bits from my /etc/ssh/sshd_config: ``` PasswordAuthentication no UsePAM no AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" AuthorizedKeysCommandUser=root PermitUserEnvironment=SRHT_* ``` Everything else is kept at default values. Sshd rejects users with empty password, but it can permit login for users with a password set to '*', so I've changed hg's password to this value: ``` # echo 'hg:*' | chpasswd ``` After this change error messages also changed. hg push says this the second message apears after a second or two): ``` pushing to ssh://firstname.lastname@example.org/~user/test abort: no suitable response from remote hg ``` And here are lines from /var/log/messages: ``` Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Accepted publickey for hg from x.x.x.x port xxxxx ssh2: ED25519 SHA256:XXXXXXXXXXX Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Received disconnect from x.x.x.x port xxxxx:11: disconnected by user Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Disconnected from user hg x.x.x.x port xxxxx ``` I tried ssh -T email@example.com, which resulted in following message: ``` This account is not available ``` Then I found out that hg user doesn't have a valid shell, it is set to use /sbin/nologin (and sr.ht-apkbuilds repo confirms that). When I changed hg's shell to /bin/sh, push and pull through ssh worked. So my question is: is this a packaging bug? I'm thinking that if that user's shell would be set to /bin/sh in the post-install script, the issues I've described wouldn't happen. Or maybe administrators are supposed to do things I've described (changing user's password and shell)? Next question is: have anybody faced these issues when installing hg.sr.ht from packages? Anyway, thanks in advance for any comments on this. --- best regards, la ninpre.
> So my question is: is this a packaging bug? I'm thinking that if > that user's shell would be set to /bin/sh in the post-install script, > the issues I've described wouldn't happen. Or maybe administrators are > supposed to do things I've described (changing user's password and > shell)? It does indeed look like a bug in the post-install script. I can't say why it was written like this since I'm running my sourcehut instance on Ubuntu and not Alpine, but the similar post-install script for git.sr.ht does setup the git user with /bin/sh. It apparently used to be /sbin/nologin, but was changed to /bin/sh with: https://git.sr.ht/~sircmpwn/sr.ht-apkbuilds/commit/a411788b6c2472b4a74a5cc96c2d72e6400be206#sr.ht/git.sr.ht/git.sr.ht.post-install It seems reasonable to me to change it for the hg user too, unless someone knows more.