SSH key not being accepted by ssh server on remote linux machine #12528

New Issue

GiteaMirror · 2025-11-02T10:12:53-06:00

GiteaMirror commented

2025-11-02 10:12:53 -06:00

Originally created by @bemmesr on GitHub (Feb 24, 2024).

Description

/etc/gitea/app.ini

APP_NAME = [app name]
RUN_USER = gitea
WORK_PATH = /var/lib/gitea
RUN_MODE = prod

[database]
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = giteadb
USER = gitea
PASSWD = [password]
SCHEMA =
SSL_MODE = disable
PATH = /var/lib/gitea/data/gitea.db
LOG_SQL = false

[repository]
ROOT = /var/lib/gitea/data/gitea-repositories

[server]
SSH_DOMAIN = [my domain]
DOMAIN = [my domain]
HTTP_PORT = 3000
ROOT_URL = http://[my domain]:3000/
APP_DATA_PATH = /var/lib/gitea/data
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = [secret]
OFFLINE_MODE = false

[lfs]
PATH = /var/lib/gitea/data/lfs
...

Context

I have gitea installed and running on a personal remote work station. This is a debian linux machine which I have remote SSH access to, and I use it for many personal projects. On this machine, I have SSH access set up to accept only publickeys and nothing else. On my personal Windows computer, I have an SSH RSA private and public key pair which allows me to access my linux server without problems.

I recently downloaded and installed gitea on my remote work station and configured it. The web page successfully loads when I connect to [my domain]:3000 through my browser. I have been able to create organizations, repositories, and new users. Myself and other users are able to clone repositories using http.

Problem

I set up an SSH key through gitea, and gave gitea the same public key I usually use to connect to my remote work station. I was able to verify the key as suggested by the web interface. The problem arises when I attempt to clone a repository using the SSH url:

git clone gitea@[my domain]:[organization]/[repository].git
Cloning into '[repository]' ...
gitea@[my domain]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

Trying to connect just with ssh -vT gitea@[my domain]: https://gist.github.com/bemmesr/cd17214d875c27f1e4a3fc096f0d8214

Interestingly, I'm actually able to clone the repo directly by using my personal user account from Windows: git clone [User]@[my domain]:/var/lib/gitea/data/gitea-repositories/[organization]/[repository].git

This works fine, but trying to do the same with gitea@[my domain]... doesn't work (of course, because I can't even SSH into the server with that user). This made me think there must be something wrong with the .ssh directory for that user, but I couldn't find anything wrong. In fact, within /home/gitea/.ssh/authorized_keys my public key from before seems to be correctly recorded, along with these commands: command="/usr/local/bin/gitea --config=/etc/gitea/app.ini serv key-4",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict.

What I've Tried

Setting DISABLE_SSH = true
Setting LFS_START_SERVER = false
Creating a new key pair on my windows machine and using that instead (same problem)
Using a different key pair this time from my remote workstation and trying to clone from there instead of my Windows computer incase it's a firewall problem (Didn't work)
Adding an ecdsa key through gitea instead and tried to clone with that, didn't work.

Conclusion

I'm not sure that this is a bug, and have the nagging feeling that it's probably something stupid I've done, but nevertheless if you would help me resolve this problem I would be extremely grateful.

Gitea Version

1.21.6

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/bemmesr/cd17214d875c27f1e4a3fc096f0d8214

Screenshots

No response

Git Version

2.39.2

Operating System

Debian Linux 12

How are you running Gitea?

I downloaded the pre-built binary for gitea, and am running it as a systemd service. I'm hosting this on a remote linux server without docker or any other container, with fail2ban installed and with only a jail for sshd (if too many failed connections, the IP is blocked).

Database

MySQL/MariaDB

Originally created by @bemmesr on GitHub (Feb 24, 2024). ### Description # /etc/gitea/app.ini ``` APP_NAME = [app name] RUN_USER = gitea WORK_PATH = /var/lib/gitea RUN_MODE = prod [database] DB_TYPE = mysql HOST = 127.0.0.1:3306 NAME = giteadb USER = gitea PASSWD = [password] SCHEMA = SSL_MODE = disable PATH = /var/lib/gitea/data/gitea.db LOG_SQL = false [repository] ROOT = /var/lib/gitea/data/gitea-repositories [server] SSH_DOMAIN = [my domain] DOMAIN = [my domain] HTTP_PORT = 3000 ROOT_URL = http://[my domain]:3000/ APP_DATA_PATH = /var/lib/gitea/data DISABLE_SSH = false SSH_PORT = 22 LFS_START_SERVER = true LFS_JWT_SECRET = [secret] OFFLINE_MODE = false [lfs] PATH = /var/lib/gitea/data/lfs ... ``` # Context I have gitea installed and running on a personal remote work station. This is a debian linux machine which I have remote SSH access to, and I use it for many personal projects. On this machine, I have SSH access set up to accept only publickeys and nothing else. On my personal Windows computer, I have an SSH RSA private and public key pair which allows me to access my linux server without problems. I recently downloaded and installed gitea on my remote work station and configured it. The web page successfully loads when I connect to [my domain]:3000 through my browser. I have been able to create organizations, repositories, and new users. Myself and other users are able to clone repositories using http. # Problem I set up an SSH key through gitea, and gave gitea the same public key I usually use to connect to my remote work station. I was able to verify the key as suggested by the web interface. The problem arises when I attempt to clone a repository using the SSH url: ``` git clone gitea@[my domain]:[organization]/[repository].git Cloning into '[repository]' ... gitea@[my domain]: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` Trying to connect just with `ssh -vT gitea@[my domain]`: https://gist.github.com/bemmesr/cd17214d875c27f1e4a3fc096f0d8214 Interestingly, I'm actually able to clone the repo directly by using my personal user account from Windows: `git clone [User]@[my domain]:/var/lib/gitea/data/gitea-repositories/[organization]/[repository].git` This works fine, but trying to do the same with gitea@[my domain]... doesn't work (of course, because I can't even SSH into the server with that user). This made me think there must be something wrong with the .ssh directory for that user, but I couldn't find anything wrong. In fact, within `/home/gitea/.ssh/authorized_keys` my public key from before seems to be correctly recorded, along with these commands: `command="/usr/local/bin/gitea --config=/etc/gitea/app.ini serv key-4",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict`. # What I've Tried * Setting DISABLE_SSH = true * Setting LFS_START_SERVER = false * Creating a new key pair on my windows machine and using that instead (same problem) * Using a different key pair this time from my remote workstation and trying to clone from there instead of my Windows computer incase it's a firewall problem (Didn't work) * Adding an ecdsa key through gitea instead and tried to clone with that, didn't work. # Conclusion I'm not sure that this is a bug, and have the nagging feeling that it's probably something stupid I've done, but nevertheless if you would help me resolve this problem I would be extremely grateful. ### Gitea Version 1.21.6 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist https://gist.github.com/bemmesr/cd17214d875c27f1e4a3fc096f0d8214 ### Screenshots _No response_ ### Git Version 2.39.2 ### Operating System Debian Linux 12 ### How are you running Gitea? I downloaded the pre-built binary for gitea, and am running it as a systemd service. I'm hosting this on a remote linux server without docker or any other container, with fail2ban installed and with only a jail for sshd (if too many failed connections, the IP is blocked). ### Database MySQL/MariaDB

GiteaMirror added the issue/not-a-bug label 2025-11-02 10:12:53 -06:00

GiteaMirror closed this issue

2025-11-02 10:12:53 -06:00

GiteaMirror commented

2025-11-02 10:12:54 -06:00

@Toakan commented on GitHub (Feb 24, 2024):

Try using git@[domain], rather than gitea / local user name.

@Toakan commented on GitHub (Feb 24, 2024): Try using git@[domain], rather than gitea / local user name.

GiteaMirror commented

2025-11-02 10:12:54 -06:00

@bemmesr commented on GitHub (Mar 2, 2024):

This was not an issue with gitea.

@bemmesr commented on GitHub (Mar 2, 2024): This was not an issue with gitea.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#12528