Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Gitea] ssh server not updating authorized keys #2380

Closed
MGThePro opened this issue Apr 1, 2022 · 6 comments
Closed

[Gitea] ssh server not updating authorized keys #2380

MGThePro opened this issue Apr 1, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@MGThePro
Copy link

MGThePro commented Apr 1, 2022

Details

Container name and tag:

gitea 1.16.5_6.0.15

What steps did you take and what happened:

I set up gitea with mostly standard settings, created an account and added an ssh public key (~/.ssh/nasbox-git.pub), and ran the command
ssh -i ~/.ssh/nasbox-git -T git@gitea.nasbox.net -p 2222
The result is always
git@gitea.nasbox.net: Permission denied (publickey).
Cloning repos via ssh doesn't work either, but works via https.
Even after running the "Resynchronize pre-receive, update and post-receive hooks of all repositories." and "Update the '.ssh/authorized_keys' file with Gitea SSH keys." tasks.

Here's the application configuration:
1
2
3
4
5

The nasbox.net domain is only local and handled via a pihole Local DNS Record, and works for the webinterface, but I've also tried sshing via the ip.

Here's the gitea pod log when running the previously mentioned tasks:

2022-04-01 19:33:39.015254+00:00�[36m2022/04/01 21:33:39 �[0mStarted �[34mGET�[0m �[1m/assets/serviceworker.js�[0m for �[1m172.16.0.209:40428�[0m 2022-04-01 19:33:39.015301+00:00�[36m2022/04/01 21:33:39 �[0mCompleted �[34mGET�[0m �[1m/assets/serviceworker.js�[0m �[36m304�[0m �[36mNot Modified�[0m in �[32m133.542µs�[0m
2022-04-01 19:34:21.463465+00:00�[36m2022/04/01 21:34:21 �[0mStarted �[34mGET�[0m �[1m/assets/serviceworker.js�[0m for �[1m172.16.0.209:40658�[0m 2022-04-01 19:34:21.463633+00:00�[36m2022/04/01 21:34:21 �[0mCompleted �[34mGET�[0m �[1m/assets/serviceworker.js�[0m �[36m304�[0m �[36mNot Modified�[0m in �[32m177.226µs�[0m

And here's the log from a failed ssh connection test

2022-04-01 19:38:18.119399+00:00�[36m2022/04/01 21:38:18 �[0m�[32mmodules/ssh/ssh.go:260:�[32msshConnectionFailed()�[0m �[1;33m[W]�[0m Failed connection from �[1m192.168.178.72:46914�[0m with error: �[1m[ssh: no auth passed yet]�[0m 2022-04-01 19:38:18.119449+00:00�[36m2022/04/01 21:38:18 �[0m�[32mmodules/ssh/ssh.go:262:�[32msshConnectionFailed()�[0m �[1;33m[W]�[0m Failed authentication attempt from �[1m192.168.178.72:46914�[0m

Looking through the filesystem of the gitea pod, I could find a few ssh or .ssh folders (like /data/ssh and /data/git/.ssh) but none of them contained an authorized_keys file, and manually creating it didn't help.
@Sagit-chu Sagit-chu added the bug Something isn't working label Apr 2, 2022
@neruok
Copy link

neruok commented Apr 16, 2022

I found the solution in go-gitea/gitea#17175

I had the same problem and was able to fix it by setting ~/.ssh/config similarly to:

Host gitea.example.com
    PubkeyAcceptedAlgorithms +ssh-rsa

This could also be fixed by adding

SSH_SERVER_HOST_KEYS = ssh/gitea.ed25519

to the [server] section of gitea's app.ini

@MGThePro
Copy link
Author

Neither of the two methods worked for me. Not sure why the first didn't work, but I think the second one didn't work because no ed25519 key is generated automatically, and ssh-keygen isn't installed in the docker container for some reason? I also cant install it because apk needs more permissions and sudo, doas, and su don't work.

@MGThePro
Copy link
Author

MGThePro commented Apr 16, 2022
edited
Loading

Here's the verbose output when trying to connect via ssh:

ssh -i ~/.ssh/nasbox-git.pub -o PubkeyAcceptedKeyTypes=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -T git@gitea.nasbox.net -p 2222 -v
OpenSSH_9.0p1, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/mgthepro/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to gitea.nasbox.net [192.168.178.93] port 2222.
debug1: Connection established.
debug1: identity file /home/mgthepro/.ssh/nasbox-git.pub type 0
debug1: identity file /home/mgthepro/.ssh/nasbox-git.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to gitea.nasbox.net:2222 as 'git'
debug1: load_hostkeys: fopen /home/mgthepro/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:Mhdils7qp3wdu2vWLiD53WIsF3Eec4TWeiCSiTPIAcs
debug1: load_hostkeys: fopen /home/mgthepro/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[gitea.nasbox.net]:2222' is known and matches the RSA host key.
debug1: Found key in /home/mgthepro/.ssh/known_hosts:29
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/mgthepro/.ssh/nasbox-git.pub RSA SHA256:Q1g+y6X+48/AOM1zDf+ecS0ErDFLgecGcVDo0ZuEQTk explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/mgthepro/.ssh/nasbox-git.pub RSA SHA256:Q1g+y6X+48/AOM1zDf+ecS0ErDFLgecGcVDo0ZuEQTk explicit
debug1: Server accepts key: /home/mgthepro/.ssh/nasbox-git.pub RSA SHA256:Q1g+y6X+48/AOM1zDf+ecS0ErDFLgecGcVDo0ZuEQTk explicit
Load key "/home/mgthepro/.ssh/nasbox-git.pub": invalid format
debug1: No more authentication methods to try.
git@gitea.nasbox.net: Permission denied (publickey).

This is without the SSH_SERVER_HOST_KEYS setting set on the server

@neruok
Copy link

neruok commented Apr 16, 2022

Maybe a typo?
You should be passing your private key as the IdentityFile parameter for ssh.
https://stackoverflow.com/a/48330113 says that might be a problem.

ssh -i ~/.ssh/nasbox-git -o PubkeyAcceptedKeyTypes=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -T git@gitea.nasbox.net -p 2222 -v

@MGThePro
Copy link
Author

Oh wow, now I feel stupid. Before setting the ssh-rsa thing I always tested with both public and private key because I wasn't sure which one I should use, but now after setting it I completely forgot. This fixed my issue, thank you!

@truecharts-admin
Copy link
Collaborator

This issue is locked to prevent necro-posting on closed issues. Please create a new issue or contact staff on discord of the problem persists

@truecharts truecharts locked and limited conversation to collaborators Feb 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neruok @MGThePro @Sagit-chu @truecharts-admin