#2457 closed task (fixed)
enable ssh git on gitea
| Reported by: | robe | Owned by: | strk |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2020-II |
| Component: | SysAdmin/Gitea | Keywords: | |
| Cc: |
Description
Some folks would prefer using ssh for git and their ssh key. This is something github offers and something gitea offers as well. We have it disabled on gitea though..
I'd like to enable it using gitea's internal ssh server.
Change History (17)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
I don't like the custom port. Would be nice to be able to craft something with the host's SSH server. I suspect it's possible without too much hassle.
Also please see ticket #2116 for a way to use LDAP for ssh keys as well (Gitea does support that): https://github.com/go-gitea/gitea/pull/1844
comment:3 by , 4 years ago
Now that SSH keys can be stored in LDAP (#2116) we should enable Gitea syncing of those keys from LDAP.
See https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L874 for instructions
comment:4 by , 4 years ago
| Component: | Systems Admin → Gitea |
|---|---|
| Owner: | changed from to |
comment:5 by , 3 years ago
Regina: I see that the app.ini for gitea was changed (JWT_SECRET) but the change was not committed to the git repository. Was the change yours ?
comment:6 by , 3 years ago
| Milestone: | Unplanned → Sysadmin Contract 2020-II |
|---|
I'm working on this. We will use the existing ssh server, so there's no need to find another free TCP port. And we'll fetch ssh keys from LDAP.
comment:7 by , 3 years ago
We need an IP to proxy to tracsvn which is different from the IP we proxy to download. At this moment download and tracsvn have the same IP (ending with 30). I dunno where the 32 address came from, in your experiments, Regina. Did you change the DNS record to assign 32 to git.osgeo.org when doing that experimentation ?
For the record: once we enable ssh we might want to change the settings page template to forbid adding/removing ssh key from gitea interface (and rather redirect to the LDAP page for that). See https://github.com/go-gitea/gitea/issues/13983
comment:8 by , 3 years ago
There's also a problem with multiple SSH keys: https://github.com/go-gitea/gitea/issues/13984
comment:9 by , 3 years ago
For the IP, I think it's ok to use the ldap.osgeo.org IP for tracsvn, as suggested in https://trac.osgeo.org/osgeo/ticket/2116#comment:9
comment:10 by , 3 years ago
The SSH keys problem requires reviewing the way keys are stored in LDAP (#2542)
comment:11 by , 3 years ago
LDAP ssh keys storage was fixed. Support for multiple SSH keys from LDAP was added in Gitea, so we'll need to upgrade it as soon as a new release including that change is published. Failing that we'll only be able to use a single ssh key, which we don't want.
Other things to do about this ticket would be providing custom templates to avoid being able to _delete_ ssh keys from Gitea, and make the "Add" button redirect you to LDAP account editing (to work around https://github.com/go-gitea/gitea/issues/13983)
comment:12 by , 3 years ago
Templating work done with https://git.osgeo.org/gitea/sac/gitea-config/commit/36d5d4c7a14763906b052ab472486816f01850c7
comment:13 by , 3 years ago
Preparation of nginx for the IP switch of git.osgeo.org is proposed here: https://git.osgeo.org/gitea/sac/ansible-deployment/pulls/2
comment:15 by , 3 years ago
IP assignment is done. Next I'd like to test the ssh key enabling in staging. I've enabled SSH with external server (openssh) on dev.git.osgeo.org, but port 22 is already listened on 140.211.15.32 for the "hop" container so it's again configured to use 3002 as the external port. For some reason though I cannot connect to that port from the outside (I get a timeout). It works from osgeo4:
tech_dev@osgeo4:~$ nc -vz 140.211.15.32 3002 Connection to 140.211.15.32 3002 port [tcp/*] succeeded!
it hangs from osgeo7:
tech_dev@osgeo7:~$ nc -vz 140.211.15.32 3002 nc: connect to 140.211.15.32 port 3002 (tcp) failed: Connection timed out
Any idea why ?
comment:16 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Nevermind, I went directly to production and it works fine. https://git.osgeo.org/gitea/sac/gitea-config/commit/2995685682eb15369c81fb9449285a7c2cd9fb2e was pushed using ssh, with keys fetched from LDAP and default SSH port \o/
comment:17 by , 3 years ago
For the record: https://git.osgeo.org/gitea/sac/ansible-deployment/commit/0f9b923d164db527f903035635ea22b236b95916 added the ssh proxy port
I've enabled it on gitea dev instance. Steps I did to enable it
in the /home/git/gitea/custom/app.ini
I changed the following lines
then do
On osgeo4 host whitelisted that port and added tracsvn-dev as proxy
Then to test I logged into https://dev.gitea.osgeo.org/gitea - went to settings and added my ssh public key to my profile
Then from my local computer did below and also did a test commit
I went back to https://dev.gitea.osgeo.org/gitea and it showed on my profile next to my public key "Last used on May 09, 2020"
To change an existing dev repo I had I did this