From 1c230f69d9951af1174f2956064f18e2d135723d Mon Sep 17 00:00:00 2001 From: Patrick Schratz Date: Thu, 21 Jan 2021 03:25:18 +0100 Subject: [PATCH] update ssh passthrough (#14403) Co-authored-by: Lunny Xiao --- .../doc/installation/with-docker.en-us.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/content/doc/installation/with-docker.en-us.md b/docs/content/doc/installation/with-docker.en-us.md index 563e85c226..b8017e64de 100644 --- a/docs/content/doc/installation/with-docker.en-us.md +++ b/docs/content/doc/installation/with-docker.en-us.md @@ -345,19 +345,23 @@ ports: - "127.0.0.1:2222:22" ``` -In addition, `/home/git/.ssh/authorized_keys` on the host needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add +In addition, `/home/git/.ssh/authorized_keys` on the host needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add the public key of the key you created above ("Gitea Host Key") to `~/git/.ssh/authorized_keys`. +This can be done via `echo "$(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys`. +Important: The pubkey from the `git` user needs to be added "as is" while all other pubkeys added via the Gitea web interface will be prefixed with `command="/app [...]`. + +The file should then look somewhat like ```bash -command="/app/gitea/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa +# SSH pubkey from git user +ssh-rsa + +# other keys from users +command="/app/gitea/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ``` -and replace `` with a valid SSH public key of yours. - -In addition the public key of the `git` user on the host needs to be added to `/home/git/.ssh/authorized_keys` so authentication against the container can succeed: `echo "$(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys`. - Here is a detailed explanation what is happening when a SSH request is made: -1. A SSH request is made against the host using the `git` user, e.g. `git clone git@domain:user/repo.git`. +1. A SSH request is made against the host (usually port 22) using the `git` user, e.g. `git clone git@domain:user/repo.git`. 2. In `/home/git/.ssh/authorized_keys` , the command executes the `/app/gitea/gitea` script. 3. `/app/gitea/gitea` forwards the SSH request to port 2222 which is mapped to the SSH port (22) of the container. 4. Due to the existence of the public key of the `git` user in `/home/git/.ssh/authorized_keys` the authentication host → container succeeds and the SSH request get forwarded to Gitea running in the docker container.