Gitea: Impossible to pull / push via ssh gitea

Check your publickey permission or .ssh permission settings.

Проверьте свое publickeyразрешение или .sshнастройки разрешения.

rights to the .ssh 700 folder and to author_keys 600

if I enter the password my Gitea account, then all the same nothing works, although the password is correct.

Would you add below setting at section [server] of app.ini
START_SSH_SERVER = true

After apply above setting, restart gitea service, and try again in below command in git bash
git clone ssh://[email protected]_domain.ru:22/vlad.bitrix/layout.git

Ok, I'm assuming you have actually got openssh or some external (to gitea) SSH server running. You won't be able to run the internal SSH server on port 22 unless you have specifically allowed gitea to open that port as it's under 1000. If you want to use the internal SSH server you need to set the port to something higher like 2222.

Now, assuming you're using openssh externally, where is the gitea user's home directory? You imply that it's /usr/local/gitea/gitea is that actually correct? Check /etc/passwd.

Is it possible to actually login as the gitea user? What is the shell at the end of the gitea line in /etc/passwd? If it's /bin/false or /usr/sbin/nologin that's your problem. You need to have gitea have a normal shell, the .ssh/authorized_keys will take care of ensuring only reasonable users get logged in and get a restricted shell.

Gitea needs to own the .ssh directory and the repositories. Make sure it does. Make sure you're actually running gitea under the gitea user.

Hope this helps.

I stumbled across the same problem and for me this worked:

After installing gitea on the Synology, the user gitea will be added. The home directory of the gitea user is /var/packages/Gitea/target/gitea , but in /etc/passwd it is /var/packages/Gitea/target. If you change this to the correct folder, everything works flawlessly.

Best regards,
Aljoscha

@ghost does this solve your issue?

@zeripath that account has been deleted I think.

D'oh.

Ok, so in terms of resolving this issue - do we think there's anything Gitea can do here?

I mean it's extremely odd that there's a system out there with a different $HOME than the one in /etc/passed. Perhaps it just needs a documentation PR?

@AljoLe would you be able to send a documentation PR? Perhaps based in the troubleshooting section (I hope one exists)

@lunny otherwise I think we close this issue.

@zeripath I never did a PR before, but there's a first time for anything, right?
The $HOME of all other users on the synology system are in /var/services/homes/, only the gitea´s $HOME is in /var/packages/Gitea/target/gitea.
This is a specialty of the Synology system, so I think a hint in the docs would be nice and enough.

I have the same setup as the deleted ghost users has and I encountered exactly the same problem. (I also followed the same installation process.) The SSH server denies my permission when authenticating by pubkey (and then prompts a password). The verbose SSH output is analogous. Unfortunately the actions described by @alsmnn did not solve the problem. Everything works fine except the pubkey authenticated SSH-login with the user gitea. Note that I can SSH into my NAS on every other user.

Like @alsmnn mentioned, the user directory for gitea is in /var/packages/Gitea/target/gitea. Here is what I have done so far:

• I ran Update the '.ssh/authorized_keys' file with Gitea SSH keys. (Not needed for the built-in SSH server.) and Resynchronize pre-receive, update and post-receive hooks of all repositories..
• I checked the file permissions in /var/packages/Gitea/target/gitea. The folder .ssh is owned by gitea (group is also gitea) with permissions 700. The file authorized_keys is owned by gitea (group is also gitea) with permissions 600.
• I appended /gitea to the gitea home path in /etc/passwd.
• I changed the shell in /etc/passwd from /sbin/nologin to bin/sh.
• I checked whether PubkeyAuthentication is enabled in /etc/sshd_config.
  But the server still rejects a SSH connection with gitea as above.

My guess is that this is some SSH server setup issue. Somehow SSH does not find the authorized_keys for the user gitea. But I have no idea what measures I can try next. Any help is appreciated :)

EDIT 1
A tip from here mentioned changing the permissions of the home directory to 744. Now the SSH server actually accepts the authentication but I still get permission denied. So it is some sort of file/folder permission problem.

The log output:

user@pc:~$ ssh -v -T -l gitea -p 5022 my.domain.com
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 7: Applying options for my.domain.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to my.domain.com [xxx.xxx.xxx.xxx] port 5022.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_file type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_file-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to my.domain.com:5022 as 'gitea'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ftvSb5conKTG7Ba2ZUpCcEqnlN8o7dGWxZJ6KYZ4klY
debug1: Host '[my.domain.com]:5022' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:OXUhb...ZA8Ic /home/user/.ssh/id_file
debug1: Server accepts key: pkalg ssh-rsa blen 279
Enter passphrase for key '/home/user/.ssh/id_file': 
debug1: Authentication succeeded (publickey).
Authenticated to my.domain.com ([xxx.xxx.xxx.xxx]:5022).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
debug1: Sending environment.
debug1: Sending env LC_MEASUREMENT = de_DE.UTF-8
debug1: Sending env LC_PAPER = de_DE.UTF-8
debug1: Sending env LC_MONETARY = de_DE.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_NAME = de_DE.UTF-8
debug1: Sending env LC_ADDRESS = de_DE.UTF-8
debug1: Sending env LC_NUMERIC = de_DE.UTF-8
debug1: Sending env LC_TELEPHONE = de_DE.UTF-8
debug1: Sending env LC_IDENTIFICATION = de_DE.UTF-8
debug1: Sending env LC_TIME = de_DE.UTF-8
Permission denied, please try again.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3188, received 3464 bytes, in 0.2 seconds
Bytes per second: sent 16461.1, received 17886.2
debug1: Exit status 1

EDIT 2
I solved the problem. During trying things out and restarting the SSH server with the DSM of my NAS, I stumbled over the information that SSH logins are only supported from users belonging to the administrators group. (Apparently this is a security feature of Synology.) I appended gitea to the administrators group in /etc/group and it worked.

I hope this helps other users running a gitea server on their Synology NAS.