putty - Accessing a remote mercurial repository through a ssh proxy under windows with tortoisehg

I have a remote mercurial repository (managed by hg-gateway) on a server. Access to that server is not open to the general public; however, the firewall allows ssh proxying.

How do I configure a windows client to access that repository with tortoisehg?

Note that it is different from this, as in that question there is no proxying involved. I am looking for the windows equivalent of

Host remote-dev
    user mercurialuser
    ProxyCommand ssh -q firewalluser@firewall

for accessing a mercurial repo like

hg clone ssh://remote-dev/repo

I have found a working solution and I will post it below in the answers for the benefit of the community.

System administration assumptions are at the end of this post.

1. download & install putty, plink, pageant and puttygen from here
2. if you don't have a ssh key, launch puttygen and:
   1. if already have a linux-generated key:
      1. select 'load an existing private key file'
      2. select appropriate file (must change file extension filter)
      3. insert passphrase
      4. select 'save private key'
   2. else,
      1. select 'generate key'
      2. move mouse randomly
      3. select 'save private key'
      4. select 'save public key'
3. send your sysadmin the PUBLIC KEY not the private key! (sysadmins: read below)
4. run a windows command prompt (start > run and type 'cmd') and launch 'pageant.exe'
5. right-click on the icon in the icon bar, 'add key'
6. select your PRIVATE key you saved before, insert passphrase

7. launch putty

   1. into hostname put: your repository server's IP address
   2. save session as 'remote-dev' (any name is ok)
   3. go to connection > proxy
   4. select 'local' for proxy type
   5. proxy hostname: your firewall DNS entry or IP address
   6. port: 22 (or whatever appropriate to ssh into the firewall)
   7. username: hg (or whatever user on the firewall has your public ssh key in .ssh/authorized_files)
   8. in 'telnet command or local proxy' replace content with 'FULLPATH\plink.exe -v -nc %host:%port %user@%proxyhost' (note use the FULL path of executable plink.exe. like c:\plink.exe)
   9. go to connection > data
   10. auto-login username: hg (or whatever user on the repository server has hg-gateway running)
   11. go back to 'session'
   12. click 'save' to save session
   13. click 'open'

   14. you should see something like

       Using username "hg".
       Authenticating with public key "imported-openssh-key" from agent
       Welcome to XXX code repository server!
       Your SSH access is restricted by hg-gateway.
       Summary of repos you have access to:
       

8. now download & install tortoisehg

9. launch tortoisehg workbench
10. file > clone repository
11. source: ssh://remote-dev/repo-name (remote-dev has to match whatever you called your session in putty!)
12. destination: pick your local destination
13. click 'clone'
14. that's it.

To allow a user access to the remote repo: 1. add the public ssh key to .ssh/authorized_keys of user hg on firewall 1. use hg-gateway to add that user's key to the hg user on server

A note: putty tends to generate keys in .ppk format; they have to be converted to a one-liner ssh key. Google is your friend here.

Assumptions:

1. on the firewall there's a user named 'hg' whose .ssh/autorhized_keys file contains the public keys of all the users that must access the repository

2. the file /etc/ssh/sshd_config of the firewall contains a line similar to:

   Match Group dev
       ForceCommand nc -q0 reposerver_ip 22
   

   so that the user CANNOT specify which hosts to connect to. User 'hg' obviously belongs to unix group 'dev'.