search

YunoHost-Apps / gogs_ynh

Gogs package for YunoHost
http://gogs.io
GNU General Public License v3.0
18 stars 9 forks source link

Cannot clone with SSH: wrong HOME env variable ? #78

Open matthiasbe opened 1 year ago

matthiasbe commented 1 year ago

I am trying to setup SSH connection to pull/push and clone. After fixing the issue #77, I stumble over another issue.

The terminal asks for password even if I have given SSH key in gogs' interface. I see the key in /home/yunohost_app/gogs/.ssh/authorized_keys.

The command ssh -vT gogs@<server> issues the following:

debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/matthias/.ssh/id_rsa RSA SHA256:<key> agent
debug1: Will attempt key: /home/matthias/.ssh/id_ecdsa 
debug1: Will attempt key: /home/matthias/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/matthias/.ssh/id_ed25519 
debug1: Will attempt key: /home/matthias/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/matthias/.ssh/id_xmss 
debug1: Will attempt key: /home/matthias/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Debian GNU/Linux 11
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/matthias/.ssh/id_rsa RSA SHA256:<key> agent
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/matthias/.ssh/id_ecdsa
debug1: Trying private key: /home/matthias/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/matthias/.ssh/id_ed25519
debug1: Trying private key: /home/matthias/.ssh/id_ed25519_sk
debug1: Trying private key: /home/matthias/.ssh/id_xmss
debug1: Trying private key: /home/matthias/.ssh/id_dsa
debug1: Next authentication method: password
gogs@<server_name>'s password:

After checking, it seems it does not find the correct file authorized_keys.

I added AuthorizedKeysFile %h/.ssh/authorized_keys in /etc/ssh/sshd_config as suggested in the doc of the app.

But still, I think the $HOME is not correctly put. Indeed I have the following:

root@mtbp:~# sudo -u gogs /bin/bash -l -c 'echo $HOME'
/var/www/gogs

I think this should point to /home/yunohost_app/gogs no ? How to fix this in the app ?

Thank you for your help.

matthiasbe commented 1 year ago

From the documentation, it seems that the $HOME is defaulted to /var/www/__APP__ in Yunohost (see here). This is also the default value of __INSTALL_DIR__ (see here). In https://github.com/YunoHost-Apps/gogs_ynh/blob/master/conf/app.ini#L63 we have

; The path of SSH root directory, default is "$HOME/.ssh".
SSH_ROOT_PATH =

And in the service config:

HOME=__DATA_DIR__

I think it should be HOME=__INSTALL_DIR__ instead, to be consistent with yunohost config.

I'm would enjoy any feedback on this, and any clue on how to test this properly (I have not yet attempted to develop anything on yunohost, so any pointers to try this quickly would help)

matthiasbe commented 1 year ago

I issued the command sudo ln -s /home/yunohost.app/gogs/.ssh /var/www/gogs.

This fixed the issue for the key authentication. I am now connected to ssh.

But another problem occures: 

matthias@matthias-pc:~/inria/redaction$ git push
Debian GNU/Linux 11
fatal : Error: fatal: protocol error: bad line length character: This

This thread is useful for debugging.

It leads me to issue the following:

$ ssh gogs@<server> git-receive-pack /home/yunohost.app/gogs/repositories/matthias/<my_repo>.git/
Debian GNU/Linux 11
This account is currently not available.
$

From this other thread it looks that the gogs user being setup as "nologin" causes this issue.

My question now is the following: should the git user be setup as nologin, for enable ssh correctly ?

matthiasbe commented 1 year ago

This is fixed with changing the shell of user "gogs" from /sbin/login to /bin/bash (I first tried with /usr/bin/git-shell, but this fails due to gogs using specific command along with the key, command that is not available with git-shell).

You can make this change with

sudo usermod gogs --shell /bin/bash

And now it works well:

$ git push
Debian GNU/Linux 11
Everything up-to-date

Two remarks: