How to set SSH to alow users with Gite account to clone via SSH

Hi,

Here at CERN, we are setting a Gitea instance.

I have been reading your forum for days, but unfortunately, I had no luck to find a case that can help me.
We installed Gitea using its binary.

So, we are setting Gitea using an LDAP. This works fine.

The first issue is that users that are allowed to login into Gitea and create repos, etc… cannot clone the repo via SSH. (HTTP clone is fine)

They ONLY can SSH clone if they are allowed to directly login in (SSH @host).

Of course, we don’t want our users to be able to login into the machine.

So at this point, you will say: SSH server must be set up correctly.
And/or app.ini is missing something…

but I just cannot figure out :frowning:

This is my part in the configuration file regarding the server:

[server]
SSH_DOMAIN       = <domain>
DOMAIN           = <domain>
HTTP_PORT        = 3000
ROOT_URL         = <domain>/gitea
DISABLE_SSH      = false
START_SSH_SERVER = true
SSH_PORT         = 22
SSH_LISTEN_PORT  = %(SSH_PORT)s
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs

Can I ask you to please, please help me to understand what I can set in SSH to allow users to clone SSH their repos?

In the doc https://docs.gitea.io/en-us/faq/#ssh-issues
you say:
" If you do not get the above message but still connect, it means your SSH key is not being managed by Gitea. This means hooks won’t run, among other potential problems."

So, how I let Gitea manage SSH keys?

The user that is running gitea service is root

Thanks and cheers,
Arturo

Each user needs to add their public key to their profile in gitea. Settings->SSH/GPG Keys. Under Manage SSH Keys select Add Key and paste in ssh key.

Thanks, @stu1811!

I will ask one of our users to test with her account. I will post here the findings.
(setups of the machine are not let me test this as “someone” else easily)

Yet, I have an issue that I have the feeling it is related to a missing SSH tuning:

For example, a user that has SSH access to the host (so, cloning is via SSH is possible) still get this error when pushing over SSH:

remote: Gitea: Rejecting changes as Gitea environment not set.
remote: If you are pushing over SSH you must push with a key managed by
remote: Gitea or set your environment appropriately.

So, reading this exact same question here:

The option:
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = false

Allows me to perform the push. But, once again, it is not recommended.
So, the discussion, and in this, my naive question (again) is, what/if I need to perform any update in the file /.ssh/authorized_keys?

Once again, root is the user that is running Gitea.
And this machine is managed by Puppet (including the content of /.ssh/authorized_keys.).

So, after several days looking, I look for your help to see how to properly set this SSH keys (if that is the issue) to get Gitea users to push to repos.

Thanks,
Arturo

Are you running the system ssh server as well as the gitea ssh server? service sshd status The system sshd service usually runs on port 22. You should change the port in gitea to something different.

By the way https://docs.gitea.io/en-us/ says “Gitea should be run with a dedicated non-root system account on UNIX-type systems.”

authorized keys tells the system to allow a user to login without password if they have a private key matching one of the public keys.

Thanks again for your kind help.

Yes, I will try to use another non-root user and see if that solve this problem.
(I tried already but I got other issues related to the gitea systemd service run by a user different than root)

Also, yes, thanks. We do have service sshd, and I follow your recommendation to change the port for Gitea SSH.

I will come back with my findings
Cheers,
Arturo

Hello,
i have a similar problem. Gitea is installed on nginx server subdomain git.mydomain.com and i can successfully sync via https, but not via ssh. I tried with different ports but most of the time i receive “connection refused” message, sometimes a kex_authentication_error.

Did you make any progress on this ?
Thanks
Roland

The user that is running gitea service is root

please don’t run as root, gitea should be run as a seperate unix user.

START_SSH_SERVER = true means that the built-in ssh server is attempting to be used. To have the system manage it, you’ll need to set that to false. As well, gitea needs to have full read/write to the “authorized keys” file, and can be the only process that manages that file and the git repos.

well, now i can reach the git.mydomain.com via ssh but even though i placed the local maschine’s pub key (user ronald) in gitea it asks for a password for git user, the git push url is:

git@git.mydomain.com:ronald/myrepo.git

I have not setup a password for the git user, following this guide
gitea install howto
and i want to push/pull via ssh from maschines with default user ronald…

I thought it would accept the push/pull operations just with the ssh pubkey…

Leaves me confused…

If git is asking for an SSH password that means there is issue with authorized key file. You will need to review OpenSSHD logs to see why it is rejecting your ssh key.