ssh logs about missing host certificates

[42wim]

• Gitea version (or commit ref):
  7ec1c13 (release/v1.13)
• Operating system:
  Self-build docker image

Description

Every ssh connection now logs

Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
Could not load host certificate "/data/ssh/ssh_host_rsa_cert": No such file or directory
Could not load host certificate "/data/ssh/ssh_host_ecdsa_cert": No such file or directory
Could not load host certificate "/data/ssh/ssh_host_dsa_cert": No such file or directory

Introduced by #13143

Maybe make this opt-in?

[zeripath]

So these are actually more warnings than errors and don't have any effect on the running of the sshd server. They simply mean that if the cert files exist they are used.

The alternative would mean that if you wanted to use a certificate you'd have to change the sshd.conf in addition to add them in. I guess it might be possible to generate the sshd.conf with a template and variables?

[42wim]

I'm personally going to add those to my gitea config, but could be annoying for users as it's filling logs with every connection (I'm running it behind a loadbalancer with a healthcheck).

Feel free to close also if not worth the effort.

[zeripath]

I guess if you stuck some environment variable and template checks around

gitea/docker/root/etc/templates/sshd_config

Line 11 in 3f13e07

HostCertificate /data/ssh/ssh_host_ed25519_cert

and the other places it would work.

Wouldn't be too much work - only issue is I guess you would have to remember to change the file manually if you restarted the docker and wanted to add them in.

[techknowlogick]

@joseluisq the Could not load host certificate logs are warnings, and be safely ignored per above. The issue you are facing is Received signal 15; terminating. which means your binary is being OOM killed and is facing an unrelated issue to this one. Please hop into chat, or create a new forum thread and we can help walk you through finding out where all your memory went.

[joseluisq]

@joseluisq the Could not load host certificate logs are warnings, and be safely ignored per above. The issue you are facing is Received signal 15; terminating. which means your binary is being OOM killed and is facing an unrelated issue to this one. Please hop into chat, or create a new forum thread and we can help walk you through finding out where all your memory went.

@techknowlogick yeah I have realized after fix the issue because a bad Gitea config.

[toddnni]

A note. /etc/s6/openssh/setup inside the Docker image generates

ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub

So maybe the sshd_config template is just pointing to wrong files, eg. /data/ssh/ssh_host_ed25519_cert instead of /data/ssh/ssh_host_ed25519_key.pub.

SSH daemon seems to get the public keys from the private keys also, but prints warning on each connection.

[zeripath]

No. Those are different things.

Just ignore the "errors" they're irrelevant.