sudo and openssh-server are indeed needed.

snedmail-bin is an extra artifact not related to "Add SSH support"

DevCentral current code:

# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
# was added in this version.

AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser vcs
AllowUsers vcs

vcs@ seems a little shorter than vcs-user@

To store to /usr/libexec and to avoid. sh suffix is a good idea, so okay for /usr/libexec/ssh-phabricator-hook.

This should be the main SSH server. Rationale is at Wikimedia, there was for the Gerrit installation complaints about how it's difficult to configure firewall for this specific port.

Must be tracked.

PidFile /var/run/sshd-phabricator.pid

+/usr/bin/hg

So Current DevCentral content is:

vcs ALL=(app) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg, /usr/bin/svnserve
app ALL=(app) SETENV: NOPASSWD: /usr/lib/git-core/git-http-backend, /usr/bin/hg

Why git and git-http-backend?

/usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg, /usr/bin/svnserve

We choose it...

This note isn't useful, we hardcode the path to the Dockerfile.

Current DevCentral version:

#!/bin/sh

VCSUSER="vcs"
ROOT="/opt/phabricator"

if [ "$1" != "$VCSUSER" ];
then
  exit 1
fi

exec "$ROOT/bin/ssh-auth" $@

That must be a runit /service. There is no reason to spawn a server outside the supervisor process.

#!/bin/sh
exec 2>&1
exec /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config.phabricator

A log service is needed too: http://smarden.org/runit/faq.html#createlog

Extra artifact not related to "Add SSH support"

Extra artifact not related to "Add SSH support"