ssh connection denied

[SimonLab]

I've created a new account on https://gogs-server.fly.dev/ and added my existing public ssh key to my new account:

• check if I have existing ssh keys on my machine: ls ~/.ssh show id_rsa and id_rsa.pub and known_hosts files.

• copy the public key cat id_rsa.pub then copy paste the content https://gogs-server.fly.dev/user/settings/ssh

• I've created a new organisation and repository and try to clone it with git clone ssh://git@gogs-server.fly.dev:10022/theorg/myrepo.git However I have the following error:

I'm looking at creating new keys (without breaking the existing one) and to try to setup the new private/public key to be used wit the gogs server only. I think I might need to create a config file to select the correct ssh key depending on the host.

[nelsonic]

When I clone this repo I get:

hmmm ... I didn't have to create a new ssh key when I went through the original setup ... wondering if it's an admin rights thing. 🤔

https://gogs-server.fly.dev/admin/users

@SimonLab I've made you admin. 🦸‍♂️

[nelsonic]

Hold on ... I think ... there may be an SSH Daemon update thing with new SSH keys. 💭 Signal me the email address you have for Fly.io and I will give you admin at the VM level. That way you can restart the VM which should start the SSH server rebuilding the list of authorized_keys ...

[SimonLab]

Server restarted however still have the same error. There are also maybe a related error on the log:

2022-05-09T14:51:41Z app[67a73f8c] lhr [info]May  9 14:51:41 sshd[602]: error: kex_exchange_identification: Connection closed by remote host
2022-05-09T14:51:41Z app[67a73f8c] lhr [info]May  9 14:51:41 sshd[602]: Connection closed by 205.234.240.68 port 55212

[nelsonic]

TCP port 55212 is not related to what you're doing. unless that's your IP address ... 💭

[SimonLab]

The errors keeps appearing but on different ports each time, https://fly.io/apps/gogs-server/logs

[nelsonic]

I think that might be a Bot doing a port scan ... 🤖 Xsan Filesystem Access https://www.adminsub.net/tcp-udp-port-finder/55212 🤷 i.e. those errors in the log are unrelated to what you're doing ... 🙄

[nelsonic]

https://www.reddit.com/r/homelab/comments/2wl5wx/being_port_scanned_by_bots_how_much_is_too_much/

[nelsonic]

I'm surprised that Fly.io isn't blocking this traffic at their Firewall. It's very clearly a scan. 🙃

[nelsonic]

FYI: SSH is still working after the server restart. I just pushed to the repo you created: https://gogs-server.fly.dev/theorg/myrepo

[nelsonic]

@SimonLab want to try and do this in a "clean" environment? do you have another computer you can use (e.g. a RPi?) or could you setup a new user on your main machine so you create a brand new RSA Key and add it to Gogs ... 💭

I don't think that's the issue. But it might be that the algorithm used for your SSH key is not listed in: https://gogs-server.fly.dev/admin/config

[SimonLab]

Good idea I'll try with another user on my machine

[nelsonic]

@SimonLab can you try:

ssh -T ssh://git@gogs-server.fly.dev:10022

You should see:

Hi there, You've successfully authenticated, but Gogs does not provide shell access.

e.g:

This is the baseline test for SSH.

As per: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection

[SimonLab]

Yes I also tried this earlier, and got git@gogs-server.fly.dev: Permission denied (publickey,keyboard-interactive).

[nelsonic]

Ah. OK so it's probably the RSA Key algo? let's stay on the 16:30 call and debug if you have time.

[nelsonic]

@SimonLab any luck? LMK if you have time to pair either today or tomorrow morning.

[nelsonic]

@SimonLab please login to the gogs-server:

fly ssh console

And check that your public key is in this file:

/data/git/.ssh/authorized_keys

[nelsonic]

See: https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file

[nelsonic]

Try just coping all the data on the first line of the file into your local text editor, replace my public key with yours, then insert it as a new line in the file. 💭

[SimonLab]

Gogs didn't add my ssh key automatically I had to run the admin command: Checked the /data/git/.ssh/authorized_keys file and my key is now there. testing ssh -T ssh://git@gogs-server.fly.dev:10022 returns:

Hi there, You've successfully authenticated, but Gogs does not provide shell access. If this is unexpected, please log in with password and setup Gogs under another user.

@nelsonic It might be worth checking on your side you can still access gogs-server with your ssh key as the file of authorized keys was rewritten

I think the issue is linked to https://github.com/gogs/gogs/issues/4751#issuecomment-703237986

[SimonLab]

I'm going to try the solution describe on the gogs issue above:

• in conf/app.ini set START_SSH_SERVER to false
• redeploy application with flyctl
• Remove my current ssh key and add another one to see if authorized_keys file is automatically updated.

[SimonLab]

START_SSH_SERVER to false didn't seem to work. When removing a ssh key the authorized_keys file is updated, however add a new key doesn't update it automatically and I had to run the rewrite command (https://github.com/dwyl/gogs-server/issues/2#issuecomment-1122176417) to update the file, then I'm able to use ssh. I don't think it's a too big issue at the moment because we'll only have the Phoenix server talking to the gogs-server via ssh at the start

[nelsonic]

Yeah, that's my thinking. We will add SSH keys to the "dev" server for new team members to be able to run the app on their localhost without having to run a local Gogs instance. But in terms of staging and production it should really only be done once. 💭

[SimonLab]

Adding new key via the gogs server interface works now. I was updating the wrong conf/app.ini file instead of updating the configuration file directly on the fly server (see https://github.com/dwyl/gogs-server#intialize-gogs) So setting START_SSH_SERVER to false works!