New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy key does not have access to private repository #2441
Comments
see https://github.com/go-gitea/gitea/blob/master/cmd/serv.go#L208, I have checked the code. It seems it's right. Maybe you can check whether your key [id=1] is exist? |
Dump from
I was pretty sure that the key ID is not 1, as I deleted and recreated that deploy key for that repository a few times before trying it at first. The repo ID is correct. The key is in the What I don't understand is this error message about key 1. Why does Gitea show it when going private, and work fine when going public with the repository? |
Check authorized keys file is there key id 1 gitea command |
@lafriks the key with the ID 4 that I re-added a few times is in there more than once (1, 2, 4). The problem now appears to be that the keys are not purged from this file, even when they're deleted from the database. The SSH key apparently matches the key with ID 1 first, thus, Gitea checks this ID. Since the key does not exist (and is therefore not authorized to access the repository), the client is denied access. (The key is by the way just once in the database). #1870 should fix such issues and also implements a superior alternative to the |
You should regenerate it from admin interface and check if that helps |
Well, that obviously fixes the problem. Though, I assume something in the process of deleting deploy keys doesn't trigger that function. I'd suggest to fix this issue by doing exactly that. |
I think the regenerate should be called when a key delete from the UI. see https://github.com/go-gitea/gitea/blob/master/models/ssh_key.go#L406 |
Yes. But, thinking about it, it was not regenerated either when adding the key again. I'd say, the best way is to do it in both places to be on the safe side. |
#1870 would fix this by not using the generated file at all :) |
@bkcsoft but that requires special openssh server configuration and is it possible to configure it only for single user? |
|
IIRC from Phabricator (which I cited in the other issue by the way) this requires a second instance of OpenSSH. Also, as stated in that other issue, Dropbear etc. don't provide this option. I guess it's still mandatory to provide this as a fallback solution unless support for anything but OpenSSH 6.2+ is dropped. |
Any ETA for #2441 (comment)? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
So, the key file is still not re-generated when a key is deleted? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
This is fixed since PR #5939 |
For small, personal self-hosted instances with no user signups, the fork button is just a noise. This patch allows disabling them like stars can be disabled too. Disabling forks does not only remove the buttons from the web UI, it also disables the routes that could be used to create forks. Fixes go-gitea#2441. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
[x]
):Description
I tried to use a deploy key with a private repository on a private instance of Gitea running in a Docker container. Apparently, for private Git repositories, the deploy key doesn't have permission to read the repository, though.
As soon as I publish the repository, the key works as expected.
It's a bit disruptive to have to switch the state of a repository for every deployment. I'd propose to allow deploy keys to clone the relevant repository even if it's private.
(I think a workaround might be to add a "machine user" or something like that, and add that to the repository.)
Oh, and please, improve that error message a bit. I'm not even sure whether the current behavior is intended, the message in the log extract I posted actually implies it might be an error.
The text was updated successfully, but these errors were encountered: