mercurial-server gives your developers remote read/write access to centralized
Mercurial repositories using SSH public key authentication; it provides
convenient and fine-grained key management and access control.

All of the repositories controlled by mercurial-server are owned by a single
user (the "hg" user in what follows), but many remote users can act on them,
and different users can have different permissions. We don't use file
permissions to achieve that - instead, developers log in as the "hg" user
when they connect to the repository host using SSH, using SSH URLs of the
form "ssh://hg@repository-host/repository-name". A restricted shell prevents
them from using this access for unauthorized purposes. Developers
are authenticated only using SSH keys; no other form of authentication is
supported.

To give a user access to the repository, place their key in an
appropriately-named subdirectory of "/usr/lcoal/etc/mercurialserver/keys"
and run "refresh-auth". You can then control what access they have to what
repositories by editing the control file
"/usr/local/etc/mercurialserver/access.conf", which can match the names of
these keys against a glob pattern.

For convenient remote control of access, you can instead (if you have the
privileges) make changes to a special repository called "hgadmin", which
contains its own "access.conf" file and "keys" directory. Changes pushed to
this repository take effect immediately. The two "access.conf" files are
concatenated, and the keys directories merged.

WWW: http://www.lshift.net/mercurial-server.html