github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-15 12:42:02 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

deploy key duplicates are messing with ssh authentication #3814

New Issue
Closed
opened 2025-11-02 05:26:16 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-02 05:26:16 -06:00
Owner
Copy Link

Originally created by @adrian-amaglio on GitHub (Aug 20, 2019).

  • Gitea version (or commit ref): docker gitea/gitea:1.7.1
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

  • I have two ssh keys for two nodes : A and B
  • I add A as a deploy key on a project P1: I can pull
  • I add B as a deploy key on a project P2: I can pull
  • I add A as a deploy key on a project P3: I can’t pull !

What is happening in the database

I can list my deploy keys in the postgresql database :

  id | key_id | repo_id |       name       |                    fingerprint                     | mode | created_unix | updated_unix 
----+--------+---------+------------------+----------------------------------------------------+------+--------------+--------------
  1 |      2 |       3 | cd               | SHA256:KEY_A_FINGERPRINT                           |    1 |   1565707072 |   1565735452
  4 |      3 |       8 | B@b.net          | SHA256:KEY_B_FINGERPRINT                           |    2 |   1566288768 |   1566289144
  6 |      5 |       8 | ansible@somehost | SHA256:KEY_A_FINGERPRINT                           |    2 |   1566289506 |   1566289506

We can see the key A was used in two different repo with different names.

What is happening in gitea

Now lets check the logs in the gitea container:

Aug 20 08:29:21 sshd[76]: Accepted publickey for git from <some-ip> port 47246 ssh2: RSA SHA256:KEY_A_FINGERPRINT
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repo/adrian/dns for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repo/adrian/dns 200 OK in 4.595033ms
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/ssh/2 for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/ssh/2 200 OK in 2.215019ms
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repositories/8/has-keys/2 for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repositories/8/has-keys/2 404 Not Found in 1.535969ms
Aug 20 08:29:22 sshd[78]: Received disconnect from <some-ip> port 47246:11: disconnected by user
Aug 20 08:29:22 sshd[78]: Disconnected from user git <some-ip> port 47246

So gitea is trying to authenticate me with the key id 2, which is the good key, but for my project /adrian/dns (id 8) its id is 5!
And this is why I can’t pull…

Reproductibility

I tried to create two repositories and add the same key twice on https://try.gitea.io/test_adrian but it worked fine.
I don’t know what information is missing to reproduce the bug…

Originally created by @adrian-amaglio on GitHub (Aug 20, 2019). - Gitea version (or commit ref): docker gitea/gitea:1.7.1 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [x] No - [ ] Not relevant ## Description - I have two ssh keys for two nodes : A and B - I add A as a deploy key on a project P1: I can pull - I add B as a deploy key on a project P2: I can pull - I add A as a deploy key on a project P3: I can’t pull ! ### What is happening in the database I can list my deploy keys in the postgresql database : ``` id | key_id | repo_id | name | fingerprint | mode | created_unix | updated_unix ----+--------+---------+------------------+----------------------------------------------------+------+--------------+-------------- 1 | 2 | 3 | cd | SHA256:KEY_A_FINGERPRINT | 1 | 1565707072 | 1565735452 4 | 3 | 8 | B@b.net | SHA256:KEY_B_FINGERPRINT | 2 | 1566288768 | 1566289144 6 | 5 | 8 | ansible@somehost | SHA256:KEY_A_FINGERPRINT | 2 | 1566289506 | 1566289506 ``` We can see the key A was used in two different repo with different names. ### What is happening in gitea Now lets check the logs in the gitea container: ``` Aug 20 08:29:21 sshd[76]: Accepted publickey for git from <some-ip> port 47246 ssh2: RSA SHA256:KEY_A_FINGERPRINT [Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repo/adrian/dns for 127.0.0.1 [Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repo/adrian/dns 200 OK in 4.595033ms [Macaron] 2019-08-20 08:29:22: Started GET /api/internal/ssh/2 for 127.0.0.1 [Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/ssh/2 200 OK in 2.215019ms [Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repositories/8/has-keys/2 for 127.0.0.1 [Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repositories/8/has-keys/2 404 Not Found in 1.535969ms Aug 20 08:29:22 sshd[78]: Received disconnect from <some-ip> port 47246:11: disconnected by user Aug 20 08:29:22 sshd[78]: Disconnected from user git <some-ip> port 47246 ``` So gitea is trying to authenticate me with the key id 2, which is the good key, but for my project /adrian/dns (id 8) its id is 5! And this is why I can’t pull… ### Reproductibility I tried to create two repositories and add the same key twice on https://try.gitea.io/test_adrian but it worked fine. I don’t know what information is missing to reproduce the bug…
GiteaMirror commented 2025-11-02 05:26:17 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Aug 20, 2019):

This was fixed in 1.8+ by #5939 and 1.7.2+ by #5966

@zeripath commented on GitHub (Aug 20, 2019): This was fixed in 1.8+ by #5939 and 1.7.2+ by #5966
GiteaMirror commented 2025-11-02 05:26:17 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Aug 20, 2019):

Please upgrade from 1.7.1 there are multiple security issues in such an old Gitea.

@zeripath commented on GitHub (Aug 20, 2019): Please upgrade from 1.7.1 there are multiple security issues in such an old Gitea.
GiteaMirror commented 2025-11-02 05:26:18 -06:00
Author
Owner
Copy Link

@adrian-amaglio commented on GitHub (Aug 20, 2019):

Thanks ! Sorry for the inconvenience.

@adrian-amaglio commented on GitHub (Aug 20, 2019): Thanks ! Sorry for the inconvenience.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#3814
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?