Troubleshooting Gitea Docker configuration using AuthorizedKeysCommand

Hi everyone,

I am trying to setup Gitea using docker. I have reviewed the different options and opted to configure it using the “Docker Shell with AuthorizedKeysCommand”.

My setup is not working at the moment. Whenever I try to clone or push a repository via ssh, I am being asked the password of the git user of the host. Instead of using the password, I was expecting gitea keys command would retrieve the public ssh key of one of my users, and ask for the passphrase for the first login.

Trying to troubleshoot it, I gave a try to the instructions on docker rootless, that look quite similar but do not require the creation of the /home/git folder.

This is my docker-compose file:

version: "3"

networks:
  gitea:
      external: false

volumes:
  gitea:
    driver: local

services:
  server:
    image: gitea/gitea:1.16.5
    container_name: gitea
    restart: always
    networks:
      - gitea
    volumes:
      - gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "127.0.0.1:2222:22"

User git was created using:

sudo useradd -r git
sudo usermod -aG docker git 

File /usr/local/bin/gitea-shell is owned by root:root with 0755 permissions. This is the content of the file:

/usr/local/bin/gitea-shell 
#!/bin/sh
/usr/bin/docker exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"

File app.ini was modified after the web configuration, to add the following line under [server] heading:

SSH_CREATE_AUTHORIZED_KEYS_FILE=false

On sshd_config, I added the following lines:

Match User git
  AuthorizedKeysCommandUser git
  AuthorizedKeysCommand /usr/bin/docker exec -i gitea /usr/local/bin/gitea keys -e git -u %u -t %t -k %k

I also configured the LogLevel to DEBUG3.

Then I tried cloning a test repo:

git clone git@172.16.0.38:username/test.git                 

Cloning 'test'...
git@172.16.0.38's password:

This is the log of sshd, retrieved using journalctl -u sshd:

mar 28 14:15:17 server sshd[1929]: debug3: monitor_read: checking request 8
mar 28 14:15:17 server sshd[1929]: debug3: mm_answer_pwnamallow: entering
mar 28 14:15:17 server sshd[1929]: debug2: parse_server_config_depth: config reprocess config len 3324
mar 28 14:15:17 server sshd[1929]: debug3: checking match for 'User git' user git host 172.16.0.193 addr 172.16.0.193 laddr 172.16.0.38 lport 22
mar 28 14:15:17 server sshd[1929]: debug1: user git matched 'User git' at line 119
mar 28 14:15:17 server sshd[1929]: debug3: match found
mar 28 14:15:17 server sshd[1929]: debug3: reprocess config:120 setting AuthorizedKeysCommandUser git
mar 28 14:15:17 server sshd[1929]: debug3: reprocess config:121 setting AuthorizedKeysCommand /usr/bin/docker exec -i gitea /usr/local/bin/gitea keys -e git -u %u -t %t -k %k
mar 28 14:15:17 server sshd[1929]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
mar 28 14:15:17 server sshd[1929]: debug3: mm_request_send: entering, type 9
mar 28 14:15:17 server sshd[1929]: debug2: monitor_read: 8 used once, disabling now
mar 28 14:15:17 server sshd[1929]: debug2: input_userauth_request: setting up authctxt for git [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_start_pam entering [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_request_send: entering, type 100 [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_inform_authserv: entering [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_request_send: entering, type 4 [preauth]
mar 28 14:15:17 server sshd[1929]: debug2: input_userauth_request: try method none [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: ensure_minimum_time_since: elapsed 4.622ms, delaying 4.517ms (requested 9.139ms) [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_request_receive: entering
mar 28 14:15:17 server sshd[1929]: debug3: monitor_read: checking request 100
mar 28 14:15:17 server sshd[1929]: debug1: PAM: initializing for "git"
mar 28 14:15:17 server sshd[1929]: debug1: PAM: setting PAM_RHOST to "172.16.0.193"
mar 28 14:15:17 server sshd[1929]: debug1: PAM: setting PAM_TTY to "ssh"
mar 28 14:15:17 server sshd[1929]: debug2: monitor_read: 100 used once, disabling now
mar 28 14:15:17 server sshd[1929]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: send packet: type 51 [preauth]
mar 28 14:15:17 server sshd[1929]: debug3: mm_request_receive: entering
mar 28 14:15:17 server sshd[1929]: debug3: monitor_read: checking request 4
mar 28 14:15:17 server sshd[1929]: debug3: mm_answer_authserv: service=ssh-connection, style=
mar 28 14:15:17 server sshd[1929]: debug2: monitor_read: 4 used once, disabling now

Following the description of steps for the “Docker Shell with AuthorizedKeysCommand”, I would say it makes the match for user git, detects the section for AuthorizedKeysCommand but somehow gitea keys doesn’t locate the keys in its .authorized_keys file in the docker container. So it reverts to plain text auth. Given the git user has no password, there is no way to validate this login attempt.

Is there any way to troubleshoot if gitea keys is working in this scenario? Am I missing any key configuration step or option?

Thanks in advance,
César