-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manage SSH keys will accept DSA keys even if opensshd is refusing them #11417
Comments
This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345 |
This comment has been minimized.
This comment has been minimized.
The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key. |
This comment has been minimized.
This comment has been minimized.
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
This issue has been automatically closed because of inactivity. You can re-open it if needed. |
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
Having looked at this I really don't think there is a way to get OpenSSHD to tell us if it would accept a public key or not. I would be delighted to be proven incorrect but this is therefore a configuration issue. If your server won't accept DSA keys or any other type of key you need to configure Gitea to refuse them. |
The config is part of the docker image?! https://github.com/go-gitea/gitea/blob/master/docker/root/etc/templates/sshd_config |
Then that's different, put a pr to change the default in the docker - the file is docker/root/etc/templates/app.ini. The information to set this is in: https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes |
Here you go, here's the patch: diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini
index 9b23c1270..1ca15e99c 100644
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -53,3 +53,6 @@ SECRET_KEY = $SECRET_KEY
[service]
DISABLE_REGISTRATION = $DISABLE_REGISTRATION
REQUIRE_SIGNIN_VIEW = $REQUIRE_SIGNIN_VIEW
+
+[ssh.minimum_key_sizes]
+DSA=-1 |
OpenSSH has disabled DSA keys since version 7.0 As the docker runs openssh > v7.0 we should just disable DSA keys by default. Refers to go-gitea#11417 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Disable DSA ssh keys by default OpenSSH has disabled DSA keys since version 7.0 As the docker runs openssh > v7.0 we should just disable DSA keys by default. Refers to #11417 Signed-off-by: Andrew Thornton <art27@cantab.net> * Just disable DSA keys by default Signed-off-by: Andrew Thornton <art27@cantab.net> * Appears we need to set the minimum key sizes too Signed-off-by: Andrew Thornton <art27@cantab.net> * Appears we need to set the minimum key sizes too Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove DSA type * Fix Tests Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv>
[x]
):Description
There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes".
Screenshots
The text was updated successfully, but these errors were encountered: