Build-in ssh is missing: no logs when enabled, always gives permission denied #6495

New Issue

Closed

opened 2025-11-02 06:57:43 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 06:57:43 -06:00

Owner

Copy Link

Originally created by @FredFoo on GitHub (Dec 10, 2020).

• Gitea version (or commit ref): 1.13.0, upgrading from 1.9.3
• Git version: 191
• Operating system: Ubuntu 16.04
• Database (use [x]):
  • PostgreSQL
  • [ x] MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • [x ] No
• Log gist:

Description

The problem: Connection to build-in ssh always ends with permission denied (publickey) and no way to debug.

I am upgrading from 1.9.3 to the latest release. I had the build-in ssh working just fine, trace logs would show stuff about the server starting and the connections coming in.

I upgraded to 1.13.0 and it stopped working. Now I always get permission denied and not a single line of log, even on run mode dev and level trace. I tried the latest 1.12 and ran into the same problem. I did apply all the database migrations. If I go back to 1.9 and the database backup all is fine again.

I also tried the docker container and updated it to have the build-in ssh instead of opensshd - same problem.

Any ideas?
...

Screenshots

Originally created by @FredFoo on GitHub (Dec 10, 2020). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.13.0, upgrading from 1.9.3 - Git version: 191 - Operating system: Ubuntu 16.04 <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package --> <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. ---> <!-- If you are using a package or systemd tell us what distribution you are using --> - Database (use `[x]`): - [ ] PostgreSQL - [ x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [x ] No - Log gist: <!-- It really is important to provide pertinent logs --> <!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems --> <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini --> ## Description The problem: Connection to build-in ssh always ends with permission denied (publickey) and no way to debug. I am upgrading from 1.9.3 to the latest release. I had the build-in ssh working just fine, trace logs would show stuff about the server starting and the connections coming in. I upgraded to 1.13.0 and it stopped working. Now I always get permission denied and not a single line of log, even on run mode dev and level trace. I tried the latest 1.12 and ran into the same problem. I did apply all the database migrations. If I go back to 1.9 and the database backup all is fine again. I also tried the docker container and updated it to have the build-in ssh instead of opensshd - same problem. Any ideas? ... ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->

GiteaMirror added the type/question label 2025-11-02 06:57:43 -06:00

GiteaMirror closed this issue 2025-11-02 06:57:43 -06:00

GiteaMirror commented 2025-11-02 06:57:44 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 10, 2020):

Is your BUILTIN_SSH_SERVER_USER set correctly?

@zeripath commented on GitHub (Dec 10, 2020): Is your BUILTIN_SSH_SERVER_USER set correctly?

GiteaMirror commented 2025-11-02 06:57:44 -06:00

Author

Owner

Copy Link

@FredFoo commented on GitHub (Dec 10, 2020):

I do guess so :) But I just set it to the same value as RUN_USER - the user I do want for this - and it changes nothing. Still no log entries even on trace level.

@FredFoo commented on GitHub (Dec 10, 2020): I do guess so :) But I just set it to the same value as RUN_USER - the user I do want for this - and it changes nothing. Still no log entries even on trace level.

GiteaMirror commented 2025-11-02 06:57:44 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 11, 2020):

From 1.10 (#7250) all ssh paths have to be:

$BUILTIN_SSH_SERVER_USER@$DOMAIN

Are you certain that you have that?

Have you checked with ssh -vvv that you're offering the correct key to gitea?

Have you ensured that the key you want to offer is one that is allowed by gitea's minimum key sizes?
https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes

@zeripath commented on GitHub (Dec 11, 2020): From 1.10 (#7250) all ssh paths have to be: $BUILTIN_SSH_SERVER_USER@$DOMAIN Are you certain that you have that? Have you checked with ssh -vvv that you're offering the correct key to gitea? Have you ensured that the key you want to offer is one that is allowed by gitea's minimum key sizes? https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes

GiteaMirror commented 2025-11-02 06:57:44 -06:00

Author

Owner

Copy Link

@FredFoo commented on GitHub (Dec 11, 2020):

I might have figured this out on my own. in 1.9.3 I was able to connect with my own username and the keypair of which I added the public key to my own useraccount.

In 1.13.0 it only seems to work if instead of my own username I use the name of the server user, i.e. "git" and the keypair of which I added the public key to my own useraccount.

I at least can open a connection, have yet to try if the functionality is as expected.

I did not find any documentation about this. Is this change intended? Or is this configurable?

@FredFoo commented on GitHub (Dec 11, 2020): I might have figured this out on my own. in 1.9.3 I was able to connect with my own username and the keypair of which I added the public key to my own useraccount. In 1.13.0 it only seems to work if instead of my own username I use the name of the server user, i.e. "git" and the keypair of which I added the public key to my own useraccount. I at least can open a connection, have yet to try if the functionality is as expected. I did not find any documentation about this. Is this change intended? Or is this configurable?

GiteaMirror commented 2025-11-02 06:57:45 -06:00

Author

Owner

Copy Link

@FredFoo commented on GitHub (Dec 11, 2020):

Anyways, seems there is not that much information about BUILTIN_SSH_SERVER_USER in the docs. And the change that you have to use the user defined with this variable to connect, not your own username anymore. Hope this helps should anyone stumble over it.

Beats me why there is no simple log message here. Something like log.warn("Invalid ssh username %s - use %s for all git operations via ssh", requestuser, setting.SSH.BuiltinServerUser). Would have helped me big time :)

@FredFoo commented on GitHub (Dec 11, 2020): Anyways, seems there is not that much information about BUILTIN_SSH_SERVER_USER in the docs. And the change that you have to use the user defined with this variable to connect, not your own username anymore. Hope this helps should anyone stumble over it. Beats me why there is no simple log message here. Something like log.warn("Invalid ssh username %s - use %s for all git operations via ssh", requestuser, setting.SSH.BuiltinServerUser). Would have helped me big time :)

GiteaMirror commented 2025-11-02 06:57:45 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 11, 2020):

Anyways, seems there is not that much information about BUILTIN_SSH_SERVER_USER in the docs. And the change that you have to use the user defined with this variable to connect, not your own username anymore. Hope this helps should anyone stumble over it.

This change was made almost a year and half ago in 1.10, as I said:

From 1.10 all ssh paths have to be:

$BUILTIN_SSH_SERVER_USER@$DOMAIN

I do recall mentioning the issue around the time of merging #7250 and suggested we gave (yet another) configuration option to allow the old behaviour but it was determined to be unnecessary. There has almost certainly been another issue report about it.

Beats me why there is no simple log message here. Something like log.warn("Invalid ssh username %s - use %s for all git operations via ssh", requestuser, setting.SSH.BuiltinServerUser). Would have helped me big time :)

PRs are welcome.

@zeripath commented on GitHub (Dec 11, 2020): > Anyways, seems there is not that much information about BUILTIN_SSH_SERVER_USER in the docs. And the change that you have to use the user defined with this variable to connect, not your own username anymore. Hope this helps should anyone stumble over it. This change was made almost a year and half ago in 1.10, as I said: > From 1.10 all ssh paths have to be: > > $BUILTIN_SSH_SERVER_USER@$DOMAIN I do recall mentioning the issue around the time of merging #7250 and suggested we gave (yet another) configuration option to allow the old behaviour but it was determined to be unnecessary. There has almost certainly been another issue report about it. > Beats me why there is no simple log message here. Something like log.warn("Invalid ssh username %s - use %s for all git operations via ssh", requestuser, setting.SSH.BuiltinServerUser). Would have helped me big time :) PRs are welcome.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6495