Skip to content

Manage SSH keys will accept DSA keys even if opensshd is refusing them #11417

New issue
New issue
Closed
#13056
Closed
Manage SSH keys will accept DSA keys even if opensshd is refusing them#11417
#13056
Labels
issue/not-a-bugThe reported issue is the intended behavior or the problem is not inside Gitea
@bjj

Description

@bjj
bjj
opened on May 15, 2020
  • Gitea version (or commit ref): 1.12.0+dev-320-g4a04740da (docker image d0d4dd915d2e)
  • Git version:
  • Operating system: Docker on a Synology NAS
  • Database (use [x]):
    • PostgreSQL
      MySQL
      MSSQL
      SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
      No
      Not relevant
  • Log gist:

Description

There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes".

Screenshots

Activity

CirnoT

CirnoT commented on May 15, 2020

@CirnoT
CirnoT
on May 15, 2020
Contributor

This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345
Perhaps we should consider updating defaults if that is the case however?

bjj

bjj commented on May 16, 2020

@bjj
bjj
on May 16, 2020 · Hidden as resolved
Author
zeripath

zeripath commented on May 16, 2020

@zeripath
zeripath
on May 16, 2020
Contributor

The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key.

zeripath

zeripath commented on May 16, 2020

@zeripath
zeripath
on May 16, 2020 · Hidden as resolved
CirnoT
mentioned this on May 26, 2020
kolaente
mentioned this on Jun 19, 2020
stale

stale commented on Jul 18, 2020

@stale
stalebot
on Jul 18, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

stale
added
issue/stale
on Jul 18, 2020
stale

stale commented on Aug 1, 2020

@stale
stalebot
on Aug 1, 2020

This issue has been automatically closed because of inactivity. You can re-open it if needed.

stale
closed this as completedon Aug 1, 2020
zeripath
reopened this on Aug 1, 2020
stale
removed
issue/stale
on Aug 1, 2020
stale

stale commented on Oct 4, 2020

@stale
stalebot
on Oct 4, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

stale
added
issue/stale
and removed
issue/stale
on Oct 4, 2020
zeripath

zeripath commented on Oct 5, 2020

@zeripath
zeripath
on Oct 5, 2020
Contributor

Having looked at this I really don't think there is a way to get OpenSSHD to tell us if it would accept a public key or not. I would be delighted to be proven incorrect but this is therefore a configuration issue.

If your server won't accept DSA keys or any other type of key you need to configure Gitea to refuse them.

zeripath
closed this as completedon Oct 5, 2020
zeripath
added
reviewed/invalid
on Oct 5, 2020
bjj

bjj commented on Oct 5, 2020

@bjj
bjj
on Oct 5, 2020
Author

The config is part of the docker image?! https://github.com/go-gitea/gitea/blob/master/docker/root/etc/templates/sshd_config

zeripath

zeripath commented on Oct 5, 2020

@zeripath
zeripath
on Oct 5, 2020
Contributor

Then that's different, put a pr to change the default in the docker - the file is docker/root/etc/templates/app.ini.

The information to set this is in:

https://docs.gitea.io/en-us/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes

zeripath

zeripath commented on Oct 5, 2020

@zeripath
zeripath
on Oct 5, 2020 · edited by zeripath
Contributor

Here you go, here's the patch:

diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini
index 9b23c1270..1ca15e99c 100644
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -53,3 +53,6 @@ SECRET_KEY   = $SECRET_KEY
 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
 REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+
+[ssh.minimum_key_sizes]
+DSA=-1
zeripath
added a commit that references this issue on Oct 6, 2020

Disable DSA ssh keys by default

b8e3cfa
zeripath
mentioned this on Oct 6, 2020
lafriks
added a commit that references this issue on Oct 9, 2020

Disable DSA ssh keys by default (#13056)

ea69ec6
go-gitea
locked and limited conversation to collaborators on Nov 24, 2020
delvh
added
issue/not-a-bugThe reported issue is the intended behavior or the problem is not inside Gitea
and removed
reviewed/invalid
on Oct 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/not-a-bugThe reported issue is the intended behavior or the problem is not inside Gitea

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @bjj@CirnoT@zeripath@delvh

      Issue actions
        Manage SSH keys will accept DSA keys even if opensshd is refusing them · Issue #11417 · go-gitea/gitea