Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage SSH keys will accept DSA keys even if opensshd is refusing them #11417

Closed
2 of 7 tasks
bjj opened this issue May 15, 2020 · 11 comments · Fixed by #13056
Closed
2 of 7 tasks

Manage SSH keys will accept DSA keys even if opensshd is refusing them #11417

bjj opened this issue May 15, 2020 · 11 comments · Fixed by #13056
Labels
issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea

Comments

@bjj
Copy link

bjj commented May 15, 2020

  • Gitea version (or commit ref): 1.12.0+dev-320-g4a04740da (docker image d0d4dd915d2e)
  • Git version:
  • Operating system: Docker on a Synology NAS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes".

Screenshots

@CirnoT
Copy link
Contributor

CirnoT commented May 15, 2020

This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345
Perhaps we should consider updating defaults if that is the case however?

@bjj

This comment has been minimized.

@zeripath
Copy link
Contributor

The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key.

@zeripath

This comment has been minimized.

@stale
Copy link

stale bot commented Jul 18, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale stale bot added the issue/stale label Jul 18, 2020
@stale
Copy link

stale bot commented Aug 1, 2020

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale stale bot closed this as completed Aug 1, 2020
@zeripath zeripath reopened this Aug 1, 2020
@stale stale bot removed the issue/stale label Aug 1, 2020
@stale
Copy link

stale bot commented Oct 4, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale stale bot added issue/stale and removed issue/stale labels Oct 4, 2020
@zeripath
Copy link
Contributor

zeripath commented Oct 5, 2020

Having looked at this I really don't think there is a way to get OpenSSHD to tell us if it would accept a public key or not. I would be delighted to be proven incorrect but this is therefore a configuration issue.

If your server won't accept DSA keys or any other type of key you need to configure Gitea to refuse them.

@bjj
Copy link
Author

bjj commented Oct 5, 2020

@zeripath
Copy link
Contributor

zeripath commented Oct 5, 2020

Then that's different, put a pr to change the default in the docker - the file is docker/root/etc/templates/app.ini.

The information to set this is in:

https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes

@zeripath
Copy link
Contributor

zeripath commented Oct 5, 2020

Here you go, here's the patch:

diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini
index 9b23c1270..1ca15e99c 100644
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -53,3 +53,6 @@ SECRET_KEY   = $SECRET_KEY
 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
 REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+
+[ssh.minimum_key_sizes]
+DSA=-1

zeripath added a commit to zeripath/gitea that referenced this issue Oct 6, 2020
OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to go-gitea#11417

Signed-off-by: Andrew Thornton <art27@cantab.net>
lafriks added a commit that referenced this issue Oct 9, 2020
* Disable DSA ssh keys by default

OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to #11417

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Just disable DSA keys by default

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove DSA type

* Fix Tests

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh added issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea and removed reviewed/invalid labels Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants