Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#2457 closed task (fixed)

enable ssh git on gitea

Reported by: robe Owned by: strk
Priority: normal Milestone: Sysadmin Contract 2020-II
Component: SysAdmin/Gitea Keywords:
Cc:

Description

Some folks would prefer using ssh for git and their ssh key. This is something github offers and something gitea offers as well. We have it disabled on gitea though..

I'd like to enable it using gitea's internal ssh server.

Change History (17)

comment:1 by robe, 4 years ago

I've enabled it on gitea dev instance. Steps I did to enable it

in the /home/git/gitea/custom/app.ini

I changed the following lines

[server]
DISABLE_SSH = false
SSH_PORT = 3002
START_SSH_SERVER = true #this one I had to add
SSH_DOMAIN = dev.git.osgeo.org

then do

service gitea restart

On osgeo4 host whitelisted that port and added tracsvn-dev as proxy

ufw allow 3002 comment "tracsvn gitea ssh"
lxc config device add tracsvn-dev proxyportgiteassh proxy listen=tcp:140.211.15.32:3002 connect=tcp:127.0.0.1:3002 bind=host

Then to test I logged into https://dev.gitea.osgeo.org/gitea - went to settings and added my ssh public key to my profile

Then from my local computer did below and also did a test commit

git clone ssh://git@dev.git.osgeo.org:3002/postgis/postgis.git postgis-dev

I went back to https://dev.gitea.osgeo.org/gitea and it showed on my profile next to my public key "Last used on May 09, 2020"

To change an existing dev repo I had I did this

git remote set-url origin ssh://git@dev.git.osgeo.org:3002/postgis/postgis.git

comment:2 by strk, 4 years ago

I don't like the custom port. Would be nice to be able to craft something with the host's SSH server. I suspect it's possible without too much hassle.

Also please see ticket #2116 for a way to use LDAP for ssh keys as well (Gitea does support that): https://github.com/go-gitea/gitea/pull/1844

comment:3 by strk, 3 years ago

Now that SSH keys can be stored in LDAP (#2116) we should enable Gitea syncing of those keys from LDAP.

See https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L874 for instructions

comment:4 by strk, 3 years ago

Component: Systems AdminGitea
Owner: changed from sac@… to strk

comment:5 by strk, 3 years ago

Regina: I see that the app.ini for gitea was changed (JWT_SECRET) but the change was not committed to the git repository. Was the change yours ?

comment:6 by strk, 3 years ago

Milestone: UnplannedSysadmin Contract 2020-II

I'm working on this. We will use the existing ssh server, so there's no need to find another free TCP port. And we'll fetch ssh keys from LDAP.

comment:7 by strk, 3 years ago

We need an IP to proxy to tracsvn which is different from the IP we proxy to download. At this moment download and tracsvn have the same IP (ending with 30). I dunno where the 32 address came from, in your experiments, Regina. Did you change the DNS record to assign 32 to git.osgeo.org when doing that experimentation ?

For the record: once we enable ssh we might want to change the settings page template to forbid adding/removing ssh key from gitea interface (and rather redirect to the LDAP page for that). See https://github.com/go-gitea/gitea/issues/13983

comment:8 by strk, 3 years ago

There's also a problem with multiple SSH keys: https://github.com/go-gitea/gitea/issues/13984

comment:9 by strk, 3 years ago

For the IP, I think it's ok to use the ldap.osgeo.org IP for tracsvn, as suggested in https://trac.osgeo.org/osgeo/ticket/2116#comment:9

comment:10 by strk, 3 years ago

The SSH keys problem requires reviewing the way keys are stored in LDAP (#2542)

comment:11 by strk, 3 years ago

LDAP ssh keys storage was fixed. Support for multiple SSH keys from LDAP was added in Gitea, so we'll need to upgrade it as soon as a new release including that change is published. Failing that we'll only be able to use a single ssh key, which we don't want.

Other things to do about this ticket would be providing custom templates to avoid being able to _delete_ ssh keys from Gitea, and make the "Add" button redirect you to LDAP account editing (to work around https://github.com/go-gitea/gitea/issues/13983)

comment:13 by strk, 3 years ago

Preparation of nginx for the IP switch of git.osgeo.org is proposed here: https://git.osgeo.org/gitea/sac/ansible-deployment/pulls/2

comment:14 by strk, 3 years ago

IP reorganization is proposed in #2549

comment:15 by strk, 3 years ago

IP assignment is done. Next I'd like to test the ssh key enabling in staging. I've enabled SSH with external server (openssh) on dev.git.osgeo.org, but port 22 is already listened on 140.211.15.32 for the "hop" container so it's again configured to use 3002 as the external port. For some reason though I cannot connect to that port from the outside (I get a timeout). It works from osgeo4:

tech_dev@osgeo4:~$ nc -vz 140.211.15.32 3002
Connection to 140.211.15.32 3002 port [tcp/*] succeeded!

it hangs from osgeo7:

tech_dev@osgeo7:~$ nc -vz 140.211.15.32 3002
nc: connect to 140.211.15.32 port 3002 (tcp) failed: Connection timed out

Any idea why ?

comment:16 by strk, 3 years ago

Resolution: fixed
Status: newclosed

Nevermind, I went directly to production and it works fine. https://git.osgeo.org/gitea/sac/gitea-config/commit/2995685682eb15369c81fb9449285a7c2cd9fb2e was pushed using ssh, with keys fetched from LDAP and default SSH port \o/

Note: See TracTickets for help on using tickets.