why does gitea add ssh and still need a password to log in?

Question

1. I installed gitea (similar to gitlab)
2. I added a valid public key in user settings -> SSH KEY
3. gitea port 3000

run:

ssh -p 22  -Tvv  git@***.***.***.***  

out:

debug1: Found key in C:\\Users\\client/.ssh/known_hosts:17
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: C:\\Users\\client/.ssh/id_rsa (000001FBAD96F620)
debug2: key: C:\\Users\\client/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\client/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\client/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\client/.ssh/id_xmss (0000000000000000)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:W88rhRw****** C:\\Users\\client/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: C:\\Users\\client/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\client/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\client/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\client/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
git@***.***.***.***'s password:

I really don't understand why?

Before that, gitlab was installed,ssh worked normally, but then gitlab was uninstalled andgitea was installed

may I know what is the reason?

---

in server, run: top

 PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                                                                 
 1185 root      20   0  972600 158792  44828 S   0.0  7.7   0:06.96 gitea 

Is there any difference between ssh git@***.***.***.*** and ssh root@***.***.***.***?

Answer 1

One reason this problem can come about is that the gitea instance is installed in a docker container on the host. When you shh to your host with the git user, you are intending to ssh into the gitea docker instance, but actually you are just sshing into the server where docker is running. SHH doesn't use domain names, so even if you have a reverse proxy which can see your request for the gitea website on the server, get the gitea website from the gitea docker container, and send it on to your computer, a reverse proxy can't do the same when you ssh in to the server.

The solution is to set up some form of SSH container passthrough. This is documented on the gitea docker installation documentation page (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough). The gist of it is:

1. Make a user on the server, outside of the gitea container called 'git'.
2. Make a key pair that you put in the git user's ~/.ssh folder.
3. Set the gitea docker volumes to include this git user's ~/.ssh folder as one of the internal docker folders (i.e., share the server's git user's ~/.ssh folder containing the key pair with the gitea docker container's /data/git/.ssh folder
4. Set the docker user for the gitea container to the same user id as the server's git user
5. The public key needs to be added to the server's git user's ~/git/.ssh/authorized_keys file (e.g., sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys && sudo -u git chmod 600 /home/git/.ssh/authorized_keys)
6. Make a new command called gitea on the server that is a file containing the following: ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@". This file should be in /usr/local/bin/gitea/ and must be executable (sudo chmod +x /usr/local/bin/gitea)
7. Take down your docker container and put it back up (from the folder where your gitea docker-compose.yml files is, docker-compose down, then docker-compose up -d)
8. Test by, at the command prompt on your regular computer: ssh -Tvv git@hostname.com. If it's working you should see a message "Hi there, ! You've successfully authenticated with the key named davidattheready@gmail.com, but Gitea does not provide shell access. If this is unexpected, please log in with password and setup Gitea under another user." You can also type the command su git then gitea on the server and you should see no response if it's working, and no error. Now, once you have gone into the gitea UI and added your key (NOT the same one as you used in steps 2-3 above, but a key on your regular computer) you should be able to run git commands from your non-server computer, pulling/pushing/etc with ssh.

Answer 2

One possible reason SSH would default to asking git password is because:

• the SSH key is passphrase-protected
• the key was not added to an SSH agent

You can test that by generating a simpler SSH key, for testing, without passphrase:

ssh-keygen -t rsa -m PEM -P ""