Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto generate additional ssh keys #33974

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

auto generate additional ssh keys #33974

wants to merge 14 commits into from

Conversation

TheFox0x7
Copy link
Contributor

@TheFox0x7 TheFox0x7 commented Mar 22, 2025
edited
Loading

adds capabilities for gitea to generate ecdsa and ed25519 keys by default
adds cli for built-in ssh keygen

closes: #33783

Since we already generate RSA key in rootless by default, I see no reason to add keygen in there. Instead we can add more keygen capabilities to internal ssh server.
The only remaining question is how to expose this to end user?
One option I see is to extend ServerHostKeys to ["gitea.rsa","gitea.ecdsa","gitea.ed25519","gogs.rsa"] but I'm not sure if it's a correct way.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 22, 2025
@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 22, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 22, 2025
@TheFox0x7
fix formatting
c51f3ca
@TheFox0x7
add copyright
3a67769
@TheFox0x7
extend settings
17cf418 
rework keygen to guess the keysize from extension
@TheFox0x7
remove failure possibilty
ee93970
@TheFox0x7
add keygen command
1ef0194 
make key generation happen in generation module
@TheFox0x7
reuse generate module
9de2cce
@github-actions github-actions bot added the modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin label Mar 23, 2025
@TheFox0x7 TheFox0x7 marked this pull request as ready for review March 23, 2025 23:15
wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
cmd/generate.go
if err != nil {
return err
}
f, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it avoid overwriting existing file?

/tmp$ ssh-keygen -t ecdsa -f a
Generating public/private ecdsa key pair.
a already exists.
Overwrite (y/n)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a good idea, I'll try to figure out how to do it.
Would comments also be a good idea to include?

wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
modules/ssh/ssh.go
@@ -400,12 +406,21 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
// Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
// Private Key generated is PEM encoded
func GenKeyPair(keyPath string) error {
privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
bits := 4096
keytype := filepath.Ext(keyPath)
Copy link
Contributor

@wxiaoguang wxiaoguang Mar 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't seem right to guess the content by file extension.

(oudated)

The key itself has the correct information.

$ ssh-keygen -t ecdsa -f a
...
$ ssh-keygen -lf a
256 SHA256:NS1YmfwZDYoEgtS3Ne0wRuDvGFFWyQfc1QB8ZT2SGeA xiaoguang@Xiaoguangs-MacBook-Pro.local (ECDSA)

Hmm, it is not for "parsing" but for "creating", but it still seems strange to guess the key type by file extension.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agreed it's a bad design. The default was []string{"ssh/gitea.rsa", "ssh/gogs.rsa"} so I figured []string{"ssh/gitea.rsa", "ssh/gitea.ed25519", "ssh/gitea.ecdsa", "ssh/gogs.rsa"} would be an acceptable workaround. I don't like it either but I had no better ideas to date.

wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
modules/ssh/ssh.go
err := GenKeyPair(setting.SSH.ServerHostKeys[0])
if err != nil {
log.Fatal("Failed to generate private key: %v", err)
for i := range 3 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 3? Why generates all files?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For new default settings and parity with default (rootful) container keys. I'd like to drop it for something better though.

@TheFox0x7 TheFox0x7 force-pushed the generate-additional-ssh-keys branch from 0372c4b to 61f4962 Compare March 25, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wxiaoguang wxiaoguang

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin modifies/go Pull requests that update Go code size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please add openssh-keygen to Dockerfile-rootless
3 participants
@TheFox0x7 @wxiaoguang @GiteaBot