P2D2::MacHg can't accept passwords for SSH connections.

Issue #218 resolved
Edward Rustin
created an issue

I've got a repo set up on a server that I can only connect to via SSH.

I can SSH and use hg from the command line without entering a password, having set up passwordless connecting with ssh-agent, but it doesn't work when using MacHG in the GUI or if I try and 'Test in Terminal'

From a normal terminal - {{{ ed@Alfred ~ $ hg identify --noninteractive --rev tip ssh://erhgrepo@eruditemonkey.com/Repo/Projects 15dcaaa9b5fb ed@Alfred ~ $ }}}

From 'Test in Terminal' -

{{{ Last login: Sun Mar 20 21:16:11 on ttys003 ed@Alfred ~ $ cd /tmp ed@Alfred /tmp $ alias mhg='/Applications/MacHg.app/Contents/Resources/localhg' ed@Alfred /tmp $ alias chg='HGPLAIN=1 HGENCODING=UTF-8 HGRCPATH="/Users/ed/Library/Application Support/MacHg/hgrc" /Applications/MacHg.app/Contents/Resources/localhg' ed@Alfred /tmp $ chg identify --cwd /tmp --insecure --noninteractive --rev 0 ssh://erhgrepo:***@eruditemonkey.com/Repo/Projects erhgrepo:***@eruditemonkey.com's password:

}}}

If I try to use those exact same commands in a normal terminal it fails as well - so it seems like the copy of HG inside MacHG isn't using the key set up with ssh-agent for some reason.

Any ideas appreciated!

Comments (20)

  1. Jason Harris repo owner

    You likely have something in your .hgrc file which is letting this work. Can you open the preferences in MacHg and click on the advanced tab and click the checkbox: twidle/.hgrc Include in HGRC path to on.

    Then try this again. And tell me what you find...

    (likley a dup of #216)

    Thanks! Jas

  2. Edward Rustin reporter

    I don't think it is related to my .hgrc - I've tried including it and there's no change. Looking through my .hgrc I'm not seeing anything that would be related to SSH auth in any case - that's all handled externally of hg isn't it?

    The entirety of my .hgrc is -

    [auth]
    antiquity.prefix = antiquity-game.googlecode.com/hg
    antiquity.username = ed.well.com
    antiquity.password = *******
    antiquity.schemes = https
    
    [ui]
    editor = nano
    username = ESR <ed@well.com>
    
  3. Jason Harris repo owner

    Hmmm... That is very strange. Which version of hg are you using then from the command line...

    Eg execute

      hg version
    

    Can I get you to change your local version of mercurial to the one MacHg is using, ie 1.7.5 and see if you can still use ssh commands just fine using that? (download available at http://mercurial.berkwood.com/)

    (I think you are definitely correct about the .hgrc. Just to be on the paranoid side can I get you to verify that your .hgrc has nothing to do with this by temporarily changing your .hgrc file to something else eg .savedhgrc and then testing eg a 'hg clone ssh:erhgrepo@eruditemonkey.com/Repo/Projects' from the command line.)

    Can I get you to also try the same command without the --insecure option...?

    In what you have posted above just to confirm when its asking for your password, the password you are giving is the exact one that is in the URL. (Ie the one you have replaced by * is the same one you type in right?)

  4. Edward Rustin reporter

    hg version

    gives

    Mercurial Distributed SCM (version 1.8.1+20110310)

    and removing my .hgrc file has no effect, I can run hg clone without needing a password.

    I tried the chg command as in my initial post but without the --insecure option and it still asked for a password (and yes, I'm using the right password!).

    I'll try 1.7.5, but it will have to wait until I'm home this evening as I've only got SSH access to the box while I'm at work.

  5. Jason Harris repo owner

    Ok, first thanks for confirming that it has nothing to do with the .hgrc file.

    Second, its looking more and more like a Mercurial thing I think. So just to confirm then:

    The following asks for the password:

    chg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo:******@eruditemonkey.com/Repo/Projects
    

    The following does not ask for the password:

    hg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo@eruditemonkey.com/Repo/Projects
    

    So then if I may get you to try what is the status of "asking for the password" in :

    chg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo@eruditemonkey.com/Repo/Projects
    

    and in

    hg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo:******@eruditemonkey.com/Repo/Projects
    

    (Where of course the * is replaced by your actual real password, the same as the one you use for your ssh-agent)

    Cheers, Jas

  6. Edward Rustin reporter

    Ah, I might have found a solution!

    chg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo:******@eruditemonkey.com/Repo/Projects

    asks for a password.

    hg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo@eruditemonkey.com/Repo/Projects

    does not, and neither does

    chg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo@eruditemonkey.com/Repo/Projects

    so it seems as though having a password in there is what's breaking it when ssh-agent doesn't require one.

  7. Jason Harris repo owner

    hmmm... This seems like a bug in Mercurial itself. Mercurial should not be asking for your password again if you specify it in the URL.

    Could I get you to do me the big favor of reporting this to the main Mercurial bug tracker:

    http://mercurial.selenic.com/bts/

    I'll get you to do it since you have ssh-agent set up and working. And they might want to ask you questions about it, etc. (I have been meaning to play with this at one stage or another, but still haven't got around to it...)

    (include a reference to this bug report.)

    (BTW you don't need to backgrade to 1.7.5 to test this now. If Mercurial 1.8.1 is asking for a password when its already included in the URL then as far as I can tell this is definitely a bug.)

    Thanks, Jason

  8. Edward Rustin reporter

    In 1.8.1 you can't have a password in the URL in any case, so it seems like it's a bug with the version of HG that you're using in MacHG

    ed@Alfred ~/hgtemp $ hg identify --cwd /tmp --noninteractive --rev 0 ssh://erhgrepo:******@eruditemonkey.com/Repo/Projects abort: password in URL not supported!

  9. Jason Harris repo owner

    Wow... It looks like you can't include the password in the URL for ssh. I always set up my ssh sessions to be passwordless through authorized_keys but its kind of amazing to see this at this late stage...

    But sure enough if I try to do an ssh session and include the password in the URL, ssh still asks me for the password. Bizarre. This makes it a MacHg bug again.

  10. Edward Rustin reporter

    I think it's related to the version of Mercurial - I tried it against a different server to the same effect (as in "abort: password in URL not supported").

    Out of interest, is there any particular reason why you've not updated the HG version in MacHG?

  11. Jason Harris repo owner

    Yes. I usually keep a version behind due to unexpected things which crop up in the real world using the latest Mercurial versions. Eg there was a regression in 1.8.0 which was fairly bad to do with merging. Because of this they released 1.8.1. The same thing happened with 1.7.3, and 1.7.4, where there was a fairly abrupt change (to say the least) to authentication. I will likely update to 1.8.2 when its out. But it can require large changes. Eg bookmarks were moved into Mercurial core for 1.8.0 and I think my mercurial extension combinedinfo will need reworking.

  12. Log in to comment