--- a/mercurial/sshrepo.py	Wed Feb 23 00:25:18 2011 +0100
+++ b/mercurial/sshrepo.py	Wed Feb 23 11:42:41 2011 +0100
@@ -29,6 +29,8 @@
             self._abort(error.RepoError(_("couldn't parse location %s") % path))
 
         self.user = m.group(2)
+        if self.user and ':' in self.user:
+            self._abort(error.RepoError(_("password in URL not supported")))
         self.host = m.group(3)
         self.port = m.group(5)
         self.path = m.group(7) or "."

--- a/tests/test-ssh.t	Wed Feb 23 00:25:18 2011 +0100
+++ b/tests/test-ssh.t	Wed Feb 23 11:42:41 2011 +0100
@@ -269,6 +269,13 @@
   date:        Thu Jan 01 00:00:00 1970 +0000
   summary:     z
   
+
+passwords in ssh urls are not supported
+
+  $ hg push ssh://user:erroneouspwd@dummy/remote
+  abort: password in URL not supported!
+  [255]
+
   $ cd ..
   $ cat dummylog
   Got arguments 1:user@dummy 2:hg -R nonexistent serve --stdio