search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.1k stars 5.49k forks source link

SSH - Gitea: Cannot find key #27274

Closed williamdes closed 8 months ago

williamdes commented 1 year ago

Description

While pushing using a ssh forwarded agent

2023/09/26 09:22:16 ...eb/routing/logger.go:102:func1() [I]
router: completed POST /api/internal/ssh/authorized_keys for 127.0.0.1:0,
500 Internal Server Error in 1.2ms @ private/key.go:50(private.AuthorizedPublicKeyByContent)

Logs when using git push

Gitea: Cannot find key: 9
fatal: Could not read from remote repository.

This pushing worked on previous versions of gitea, I am pretty sure about it. And pushing/pulling/manual ssh works from my local host. When I use another not authorized key it does a 401 in the logs, but from the server a 500 error in the logs.

On my account I have two keys:

Using https://docs.gitea.com/next/installation/install-with-docker#docker-shell-with-authorizedkeyscommand

Gitea Version

1.20 and 1.21

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

ssh git@git-ssh.xxxx.xx -v
OpenSSH_8.4p1 Debian-2~bpo10+1, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to git-ssh.xxxx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-2~bpo10+1
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2
debug1: match: OpenSSH_9.2p1 Debian-2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to git-ssh.xxxx.xx:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:R9jnIdAlZtQhwFZa4SGsLVKqW/smxxxxuoyxii2WIw
debug1: Host 'git-ssh.xxxx.xx' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:7
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: cardno:13 131 686 RSA SHA256:xxxxxx1aW3TIGnee3IvwZT8P5oCY+7ifz7J73jZw agent
debug1: Will attempt key: williamdes@williamdes RSA SHA256:xxxxxxx9hIiC29NB1D1Mzn1XtCmEsHjc3Nzl7lk agent
debug1: Will attempt key: williamdes+ecdsa-2023@wdes.fr ECDSA SHA256:xxxxxxxyRoUAuEHgSz9vgErcZ0c9vFWoh4m/0 agent
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:13 131 686 RSA SHA256:xxxxxx1aW3TIGnee3IvwZT8P5oCY+7ifz7J73jZw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: williamdes@williamdes RSA SHA256:xxxxxxx9hIiC29NB1D1Mzn1XtCmEsHjc3Nzl7lk agent
debug1: Server accepts key: williamdes@williamdes RSA SHA256:xxxxxxx9hIiC29NB1D1Mzn1XtCmEsHjc3Nzl7lk agent
debug1: Authentication succeeded (publickey).
Authenticated to git-ssh.xxxx.xx ([xx.xx.xx.xx]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/git/.ssh/authorized_keys:8: key options: command
debug1: Remote: /home/git/.ssh/authorized_keys:8: key options: command
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
PTY allocation request failed on channel 0

Gitea: Key check failed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to git-ssh.xxxx.xx closed.
Transferred: sent 4168, received 2892 bytes, in 0.4 seconds
Bytes per second: sent 10796.3, received 7491.1
debug1: Exit status 1

Git Version

No response

Operating System

Debian 12

How are you running Gitea?

Docker rootless

gitea:
        # Always use the rootless variant !
        image: gitea/gitea:1.21-nightly-rootless
        user: "1000" # git
        dns_search: xxxxxxxx
        container_name: gitea
        environment:
            # https://github.com/go-gitea/gitea/blob/release/v1.20/docker/rootless/usr/local/bin/gitea#L40
            GITEA_WORK_DIR: /data/gitea
            # https://github.com/go-gitea/gitea/blob/release/v1.20/docker/rootless/usr/local/bin/gitea#L35
            GITEA_APP_INI: /etc/gitea/app.ini
            GITEA__APP_NAME: Foo
            GITEA__cron__ENABLED: "true"
            GITEA__server__START_SSH_SERVER: "true"
            GITEA__server__SSH_DOMAIN: git-ssh.xxx.xxx
            GITEA__server__SSH_USER: git
            GITEA__server__SSH_PORT: 22
            GITEA__server__ROOT_URL: https://git.xxx.xxx/
            GITEA__server__HTTP_PORT: ${GITEA_HTTP_PORT:-3000}
            GITEA__server__DISABLE_SSH: ${GITEA_DISABLE_SSH:-true}
            GITEA__server__SSH_LISTEN_HOST: ${GITEA_SSH_LISTEN_HOST:-0.0.0.0}
            GITEA__server__SSH_LISTEN_PORT: ${GITEA_SSH_LISTEN_PORT:-2222}
            GITEA__server__APP_DATA_PATH: /data/gitea
            GITEA__server__SSH_ROOT_PATH: /home/git/.ssh
            GITEA__log__LEVEL: "Debug"
            GITEA__log__ROOT_PATH: /data/git/log
            GITEA__lfs__PATH: /data/git/lfs
            GITEA__repository__ROOT: /data/git/repositories
            GITEA__database__DB_TYPE: mysql
            GITEA__database__HOST: "${GITEA_DB_HOST}"
            GITEA__database__NAME: "${GITEA_DB_NAME}"
            GITEA__database__USER: "${GITEA_DB_USER}"
            GITEA__database__PASSWD: "${GITEA_DB_PASS}"
            GITEA__session__COOKIE_SECURE: "true"
            GITEA__session__SAME_SITE: strict
            GITEA__mailer__ENABLED: "true"
            GITEA__mailer__FROM: ${GITEA_MAIL_FROM}
            GITEA__mailer__GITEA_MAIL_SUBJECT_PREFIX: ${GITEA_MAIL_SUBJECT_PREFIX}
            GITEA__mailer__HELO_HOSTNAME: ${GITEA_MAIL_HELO_HOSTNAME}
            GITEA__mailer__PROTOCOL: smtps
            GITEA__mailer__SMTP_ADDR: ${GITEA_MAIL_SMTP_ADDR}
            GITEA__mailer__SMTP_PORT: 465
            GITEA__mailer__USER: ${GITEA_MAIL_USER}
            GITEA__mailer__PASSWD: "${GITEA_MAIL_PASSWORD}"
            GITEA__service__DISABLE_REGISTRATION: ${GITEA_DISABLE_REGISTRATION:-true}
            GITEA__service__NO_REPLY_ADDRESS: ${GITEA_NO_REPLY_ADDRESS}
            GITEA__actions__ENABLED: "true"
            GITEA__federation__ENABLED: "true"
            GITEA__cron.update_checker__ENABLED: "true"
        healthcheck:
            test:
                [
                    "CMD",
                    "curl",
                    "--fail",
                    "https://git.xxxxx.xxxx/robots.txt",
                ]
            interval: 300s
            timeout: 1s
        volumes:
            - /home/git/.ssh/:/home/git/.ssh
            - ${GITEA_VOLUME:-./gitea}:/data
            - /etc/timezone:/etc/timezone:ro
            - /etc/localtime:/etc/localtime:ro
            # needs write access
            - ${GITEA_VOLUME:-./gitea}/gitea/conf/app.ini:/etc/gitea/app.ini
        ports:
            - "${GITEA_SSH_ADDRESS:-127.0.0.22}:${GITEA_SSH_PORT:-2222}:2222"
            - "${GITEA_HTTP_PORT:-3000}:${GITEA_HTTP_PORT:-3000}"
        depends_on:
            db:
                condition: service_healthy
        networks:
            xxxxx:
        restart: on-failure:2

Database

MySQL/MariaDB

williamdes commented 1 year ago

I managed to fix it, but it required to GITEA__server__START_SSH_SERVER: false and then sync the authorized keys file

It's probably a good idea to fix this error 500, probably due to the fact that the authorized keys was not in sync

lunny commented 1 year ago

START_SSH_SERVER means starting an internal SSH server. Setting it to false will use OpenSSHD

williamdes commented 1 year ago

START_SSH_SERVER means starting an internal SSH server. Setting it to false will use OpenSSHD

Yes, and enable buttons and sync of authorized keys I recently switched from ssh shell forwarding to docker shell exec but forgot to START_SSH_SERVER: false

push/pull still worked but not always, part of is is probably due to the fact that I had an outdated authorized keys file from the time where is was using docker shell exec There is some bug or warning to be added for such mistakes to not happen. Or just patch the 500 error ^^

lunny commented 8 months ago

I think it's outdated and could be closed.