How to set SSH to alow users with Gite account to clone via SSH

Hi,

Here at CERN, we are setting a Gitea instance.

I have been reading your forum for days, but unfortunately, I had no luck to find a case that can help me.
We installed Gitea using its binary.

So, we are setting Gitea using an LDAP. This works fine.

The first issue is that users that are allowed to login into Gitea and create repos, etc… cannot clone the repo via SSH. (HTTP clone is fine)

They ONLY can SSH clone if they are allowed to directly login in (SSH @host).

Of course, we don’t want our users to be able to login into the machine.

So at this point, you will say: SSH server must be set up correctly.
And/or app.ini is missing something…

but I just cannot figure out :frowning:

This is my part in the configuration file regarding the server:

[server]
SSH_DOMAIN       = <domain>
DOMAIN           = <domain>
HTTP_PORT        = 3000
ROOT_URL         = <domain>/gitea
DISABLE_SSH      = false
START_SSH_SERVER = true
SSH_PORT         = 22
SSH_LISTEN_PORT  = %(SSH_PORT)s
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs

Can I ask you to please, please help me to understand what I can set in SSH to allow users to clone SSH their repos?

In the doc https://docs.gitea.io/en-us/faq/#ssh-issues
you say:
" If you do not get the above message but still connect, it means your SSH key is not being managed by Gitea. This means hooks won’t run, among other potential problems."

So, how I let Gitea manage SSH keys?

The user that is running gitea service is root

Thanks and cheers,
Arturo

Each user needs to add their public key to their profile in gitea. Settings->SSH/GPG Keys. Under Manage SSH Keys select Add Key and paste in ssh key.

Thanks, @stu1811!

I will ask one of our users to test with her account. I will post here the findings.
(setups of the machine are not let me test this as “someone” else easily)

Yet, I have an issue that I have the feeling it is related to a missing SSH tuning:

For example, a user that has SSH access to the host (so, cloning is via SSH is possible) still get this error when pushing over SSH:

remote: Gitea: Rejecting changes as Gitea environment not set.
remote: If you are pushing over SSH you must push with a key managed by
remote: Gitea or set your environment appropriately.

So, reading this exact same question here:

The option:
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = false

Allows me to perform the push. But, once again, it is not recommended.
So, the discussion, and in this, my naive question (again) is, what/if I need to perform any update in the file /.ssh/authorized_keys?

Once again, root is the user that is running Gitea.
And this machine is managed by Puppet (including the content of /.ssh/authorized_keys.).

So, after several days looking, I look for your help to see how to properly set this SSH keys (if that is the issue) to get Gitea users to push to repos.

Thanks,
Arturo

Are you running the system ssh server as well as the gitea ssh server? service sshd status The system sshd service usually runs on port 22. You should change the port in gitea to something different.

By the way https://docs.gitea.io/en-us/ says “Gitea should be run with a dedicated non-root system account on UNIX-type systems.”

authorized keys tells the system to allow a user to login without password if they have a private key matching one of the public keys.

Thanks again for your kind help.

Yes, I will try to use another non-root user and see if that solve this problem.
(I tried already but I got other issues related to the gitea systemd service run by a user different than root)

Also, yes, thanks. We do have service sshd, and I follow your recommendation to change the port for Gitea SSH.

I will come back with my findings
Cheers,
Arturo