Manage SSH keys will accept DSA keys even if opensshd is refusing them #5400

Closed
opened 2025-11-02 06:23:43 -06:00 by GiteaMirror · 11 comments
Owner

Originally created by @bjj on GitHub (May 15, 2020).

  • Gitea version (or commit ref): 1.12.0+dev-320-g4a04740da (docker image d0d4dd915d2e)
  • Git version:
  • Operating system: Docker on a Synology NAS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes".

Screenshots

Originally created by @bjj on GitHub (May 15, 2020). - Gitea version (or commit ref): 1.12.0+dev-320-g4a04740da (docker image d0d4dd915d2e) - Git version: - Operating system: Docker on a Synology NAS - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes". ## Screenshots
GiteaMirror added the issue/not-a-bug label 2025-11-02 06:23:43 -06:00
Author
Owner

@CirnoT commented on GitHub (May 15, 2020):

This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345
Perhaps we should consider updating defaults if that is the case however?

@CirnoT commented on GitHub (May 15, 2020): This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345 Perhaps we should consider updating defaults if that is the case however?
Author
Owner

@bjj commented on GitHub (May 16, 2020):

The app.ini.sample says Define allowed algorithms and their minimum key length (use -1 to disable a type) but the code actually merges the config array with a default value ignoring -1:

SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool()
minimumKeySizes := Cfg.Section("ssh.minimum_key_sizes").Keys()
for _, key := range minimumKeySizes {
	if key.MustInt() != -1 {
		SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
	}
}

The default value includes all key types: MinimumKeySizes: map[string]int{"ed25519": 256, "ecdsa": 256, "rsa": 2048, "dsa": 1024}, so it cannot be disabled with -1 as described.

I set it to 99999, which works, but gives this error: Can not verify your SSH key: key length is not enough: got 1024, needs 99999

@bjj commented on GitHub (May 16, 2020): The `app.ini.sample` says `Define allowed algorithms and their minimum key length (use -1 to disable a type)` but the code actually merges the config array with a default value ignoring -1: SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool() minimumKeySizes := Cfg.Section("ssh.minimum_key_sizes").Keys() for _, key := range minimumKeySizes { if key.MustInt() != -1 { SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt() } } The default value includes all key types: `MinimumKeySizes: map[string]int{"ed25519": 256, "ecdsa": 256, "rsa": 2048, "dsa": 1024},` so it cannot be disabled with -1 as described. I set it to 99999, which works, but gives this error: `Can not verify your SSH key: key length is not enough: got 1024, needs 99999`
Author
Owner

@zeripath commented on GitHub (May 16, 2020):

The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key.

@zeripath commented on GitHub (May 16, 2020): The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key.
Author
Owner

@zeripath commented on GitHub (May 16, 2020):

@bjj that looks like (yet another bug) do you fancy putting up a PR to fix that? - FIXED

@zeripath commented on GitHub (May 16, 2020): @bjj that looks like (yet another bug) do you fancy putting up a PR to fix that? - FIXED
Author
Owner

@stale[bot] commented on GitHub (Jul 18, 2020):

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale[bot] commented on GitHub (Jul 18, 2020): This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.
Author
Owner

@stale[bot] commented on GitHub (Aug 1, 2020):

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale[bot] commented on GitHub (Aug 1, 2020): This issue has been automatically closed because of inactivity. You can re-open it if needed.
Author
Owner

@stale[bot] commented on GitHub (Oct 4, 2020):

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale[bot] commented on GitHub (Oct 4, 2020): This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.
Author
Owner

@zeripath commented on GitHub (Oct 5, 2020):

Having looked at this I really don't think there is a way to get OpenSSHD to tell us if it would accept a public key or not. I would be delighted to be proven incorrect but this is therefore a configuration issue.

If your server won't accept DSA keys or any other type of key you need to configure Gitea to refuse them.

@zeripath commented on GitHub (Oct 5, 2020): Having looked at this I really don't think there is a way to get OpenSSHD to tell us if it would accept a public key or not. I would be delighted to be proven incorrect but this is therefore a configuration issue. If your server won't accept DSA keys or any other type of key you need to configure Gitea to refuse them.
Author
Owner

@bjj commented on GitHub (Oct 5, 2020):

The config is part of the docker image?! https://github.com/go-gitea/gitea/blob/master/docker/root/etc/templates/sshd_config

@bjj commented on GitHub (Oct 5, 2020): The config is part of the docker image?! https://github.com/go-gitea/gitea/blob/master/docker/root/etc/templates/sshd_config
Author
Owner

@zeripath commented on GitHub (Oct 5, 2020):

Then that's different, put a pr to change the default in the docker - the file is docker/root/etc/templates/app.ini.

The information to set this is in:

https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes

@zeripath commented on GitHub (Oct 5, 2020): Then that's different, put a pr to change the default in the docker - the file is docker/root/etc/templates/app.ini. The information to set this is in: https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes
Author
Owner

@zeripath commented on GitHub (Oct 5, 2020):

Here you go, here's the patch:

diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini
index 9b23c1270..1ca15e99c 100644
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -53,3 +53,6 @@ SECRET_KEY   = $SECRET_KEY
 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
 REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+
+[ssh.minimum_key_sizes]
+DSA=-1
@zeripath commented on GitHub (Oct 5, 2020): Here you go, here's the patch: ```patch diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini index 9b23c1270..1ca15e99c 100644 --- a/docker/root/etc/templates/app.ini +++ b/docker/root/etc/templates/app.ini @@ -53,3 +53,6 @@ SECRET_KEY = $SECRET_KEY [service] DISABLE_REGISTRATION = $DISABLE_REGISTRATION REQUIRE_SIGNIN_VIEW = $REQUIRE_SIGNIN_VIEW + +[ssh.minimum_key_sizes] +DSA=-1 ```
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#5400