[solved] Pushing to gitea using SSH authentication

Hello,
I want to push /etc directory to my gitea server; this is a function of etckeeper.

There are multiple clients that push their /etc directory into a specific repo: etckeeper/.

For this I created a technical user account on gitea server with public key pair.
Then I logged in to gitea server with this technical user account and created a the SSH key in Profile > Settings > SSH Keys.

The key is displayed in green, therefore I assume everything is correct.

image1131×178 11.6 KB

Then I transferred the key pair of this technical user to a client and tried to connect to gitea server via SSH with this command:
ssh -vT -i ~/.ssh/t-user_d038783-id_rsa git@vlcspgit.devsys.net

This is working nicely:

vlcspsumamon:/etc/.git # ssh -vT -i ~/.ssh/t-user_d038783-id_rsa git@vlcspgit.devsys.net
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to vlcspgit.devsys.net [10.237.81.9] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/t-user_d038783-id_rsa type 0
debug1: identity file /root/.ssh/t-user_d038783-id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to vlcspgit.devsys.net:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:KrtmxGqiXMa1zfD5PWMfvEQYxLI3lo4mOiFmhPKgo/E
debug1: Host 'vlcspgit.devsys.net' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/t-user_d038783-id_rsa RSA SHA256:0VHb5w0JA1adZtDspxJCUTQsLK9P+5kt/eR6mFG4mLU explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa
-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/t-user_d038783-id_rsa RSA SHA256:0VHb5w0JA1adZtDspxJCUTQsLK9P+5kt/eR6mFG4mLU explicit
debug1: Server accepts key: /root/.ssh/t-user_d038783-id_rsa RSA SHA256:0VHb5w0JA1adZtDspxJCUTQsLK9P+5kt/eR6mFG4mLU explicit
debug1: Authentication succeeded (publickey).
Authenticated to vlcspgit.devsys.net ([10.237.81.9]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/git/.ssh/authorized_keys:6: key options: command user-rc
debug1: Remote: /home/git/.ssh/authorized_keys:6: key options: command user-rc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_COLLATE = C
Hi there, t-user_d038783! You've successfully authenticated with the key named t-user_d038783@vlcspgit, but Gitea does not provide shell access.
If this is unexpected, please log in with password and setup Gitea under another user.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3540, received 3464 bytes, in 3.4 seconds
Bytes per second: sent 1045.4, received 1022.9
debug1: Exit status 0

The next step is to use git + SSH authentication.
However, this command fails already:

vlcspsumamon:/etc/.git # git ls-remote
git@vlcspgit.devsys.net: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Can you please advise how to fix this error.
I assume I must use the correct public key for authentication (as used with SSH command).

THX

If you have to specify your private key when using ssh, you probably also need to specify it for git.

GIT_SSH_COMMAND='ssh -i ~/.ssh/t-user_d038783-id_rsa' git ls-remote

Understood.

This means I can either use command git with the default private key file ~/.ssh/id_rsa or I define my individual command using the specific private key file ~/.ssh/t-user_d038783-id_rsa.

I think I will use command git and create a softlink ~/.ssh/id_rsa pointing to ~/.ssh/t-user_d038783-id_rsa; this should be possible because the clients don’t use public key authentication anywhere.

You can have a config file in ~/.ssh/config to indicate special private key file for different Host and User.

Right…
This is much more cleverer than the solution with softlink.