Cloning a repo - http doesn't work, ssh key neither

[lapineige]

Hi,
I'm trying to clone my gogs repository.
Using http I have this kind of error: fatal: mydomain.tld/gogs/myself/Test.git/info/refs not valid: is this a git repository?

And when trying using ssh, it ask for a password - but I can't find which one, as my login password doesn't work.
Adding an ssh key to the repo doesn't solve the issue.
Do you know how to correct that ? Is it an installation issue ?

Thanks :)

[lapineige]

After more tests: using a no-password ssh key doesn't work.
But if I turn my gogs into a public site, any method works.
Does that mean I need to keep it public ? Even for ssh ?
Does it needs to be more integrated into Yunohost ?

[mbugeia]

Hi,
I think I didn't really test clone in private mode. It doesn't surprise me that https clone won't work in private mode since you need to be authenticated by ssowat. If you were able to pass basic http authorization header in git clone command this will maybe work but I don't know if it's possible. Either case this won't be practical.
For ssh it should work in private mode if your ssh daemon is properly configured as in the readme and if you've added your public key to your gogs profile. Using password protected or no password sshkey won't matter (this is client side). What clone command are you using ? The correct one is git clone gogs@yourdomain.tld:user/repo.git

[lapineige]

I think I didn't really test clone in private mode. It doesn't surprise me that https clone won't work in private mode since you need to be authenticated by ssowat.

Right. I was thinking it might be integrated, asking for login/pwd for instance, and I wanted to be sure it wasn't a bug on my side.
Ok so let's focus on ssh:

For ssh it should work in private mode if your ssh daemon is properly configured as in the readme

(feeling stupid) I missed it (I don't know how ^^), thanks !
Just to be sure, I need to change on my server the file /etc/ssh/sshd_config, not on the client, right ?
I checked it, AuthorizedKeysFile was commented, but it still doesn't work (still asking for a mysterious password).
Compared to the file in the README, the only difference is the UsePAM which is set to yes.

What clone command are you using ?

It's the right command.

[lapineige]

Up :)

Just to be sure, I need to change on my server the file /etc/ssh/sshd_config, not on the client, right ?
I checked it, AuthorizedKeysFile was commented, but it still doesn't work (still asking for a mysterious password).
Compared to the file in the README, the only difference is the UsePAM which is set to yes.

So is it the right configuration for the ssh daemon ?
It still ask for a password (not the ssh key password, sounds like the gogs user password)

[lapineige]

I just tried to connect via ssh, by forcing publickey authentication, I just have this result: Permission denied (publickey,password).
Using nothing ask for a password.

I also tried by using the ssh key I use to log as root (an not for gogs, normally) - it works.
So I'm wondering what configuration I missed, as far as I know it should be 2 separated things.

[mbugeia]

Sorry for the response time.
Well maybe there is other thing missing in the conf file. First you can check:

• Is gogs user have your key (the one you put in your gogs profile) cat /home/gogs/.ssh/authorized_keys ?
• What happen during a failed authentification tail -f /var/log/auth.log when performing a clone. Is the key the same as in the gogs authorized_keys ?

[lapineige]

Is gogs user have your key (the one you put in your gogs profile) cat /home/gogs/.ssh/authorized_keys ?

I did before, the key was always the right one

What happen during a failed authentification tail -f /var/log/auth.log when performing a clone. Is the key the same as in the gogs authorized_keys ?

I will check ASAP.

[mbugeia]

You can also check ssh gogs@yourdomain.tld
Gogs will tell you that if it's ok:

PTY allocation request failed on channel 0
Hi there, You've successfully authenticated, but Gogs does not provide shell access.
If this is unexpected, please log in with password and setup Gogs under another user.
Connection to domain.tld closed.

If not, put ssh in verbose mode (-vvvv) to see what happen when also monitoring auth.log.

[lapineige]

I think I had that message before with my gogs ssh key.

Now it asks for the password corresponding to the root ssh key that I used for the test (as the gogs key wasn't working). I have it aside my gogs key.
(if the password is wrong, the gogs account password is required, and not the other ssh key)

Removing the root key, while keeping the gogs key, ask only for gogs account password (and not the ssh key).

[mbugeia]

Here is my full sshd_config : https://paste.yunohost.org/atedejuwag.vala if you want to check what's different.

[lapineige]

Thanks :)

Well, the only differences I see are:

StrictModes yes

on my side, and you have the option no,

HostKey /etc/ssh/ssh_host_ed25519_key

I don't have this line.
and:

UsePAM no

I have yes on my side.

[mbugeia]

The first two won't change the behavior Have you tried to change UsePAM to no and restart the ssh daemon ?

[lapineige]

Done, no visible effect.

[mbugeia]

Well to investigate more I would need the full exchange of the auth.log with the content of the gogs authorized_keys. If you're uncomfortable about exposing it here (even if it's only public keys) you can mail me here: github@max.privy.place

[lapineige]

Should I remove the root key before trying this and sending you the auth.log ?
I mean, when I try with the root key included, it works and ask for its password. This is included in the auth.log, with the right fingerprint.
When I remove it, I just have the prompt for the gogs user's password, nothing for the gogs key password.
And the auth.log contains only the prompt for the user password, nothing about the other key.

---

Should I try adding the gogs key to the root user authorized_keys file ?

[lapineige]

Ok I found the issue - it's not related to gogs: my ssh-agent had an issue, all the keys I generated since a previous update where not added with ssh-add (seems to be a know bug, updating solved the issue).
So after a new key generation, it's working perfectly fine :)
Thanks for your help, sorry for the inconvenience :(

[mbugeia]

I'm glad you make it work. As I said in my previous answer, since gogs worked, the solution had to be in the key exchange either in the daemon or in you ssh agent.

[lapineige]

And you were right, but I wasn't expecting this kind of issue, since the keys were generated and ssh-add was working (btw it reported nothing).

[cvanwynsberghe]

Hi @mbugeia ,

I think I didn't really test clone in private mode. It doesn't surprise me that https clone won't work in private mode since you need to be authenticated by ssowat. If you were able to pass basic http authorization header in git clone command this will maybe work but I don't know if it's possible. Either case this won't be practical.

despite the issue being closed, I took quite a long time to understand that git through https does not work when website is private, until I reached this thread. Shouldn't this limitation be mentioned during install, just beside the option "Make this website public" ?