Skip to content

auto generate additional ssh keys #33974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

auto generate additional ssh keys #33974

wants to merge 17 commits into from

Conversation

TheFox0x7
Copy link
Contributor

@TheFox0x7 TheFox0x7 commented Mar 22, 2025
edited
Loading

adds capabilities for gitea to generate ecdsa and ed25519 keys by default
adds cli for built-in ssh keygen

closes: #33783

Since we already generate RSA key in rootless by default, I see no reason to add keygen in there. Instead we can add more keygen capabilities to internal ssh server.
The only remaining question is how to expose this to end user?
One option I see is to extend ServerHostKeys to ["gitea.rsa","gitea.ecdsa","gitea.ed25519","gogs.rsa"] but I'm not sure if it's a correct way.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 22, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 22, 2025
@TheFox0x7
fix formatting
c51f3ca
@TheFox0x7
add copyright
3a67769
@TheFox0x7
extend settings
17cf418 
rework keygen to guess the keysize from extension
@TheFox0x7
remove failure possibilty
ee93970
@TheFox0x7
add keygen command
1ef0194 
make key generation happen in generation module
@TheFox0x7
reuse generate module
9de2cce
@github-actions github-actions bot added the modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin label Mar 23, 2025
@TheFox0x7 TheFox0x7 marked this pull request as ready for review March 23, 2025 23:15
wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
cmd/generate.go
if err != nil {
return err
}
f, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it avoid overwriting existing file?

/tmp$ ssh-keygen -t ecdsa -f a
Generating public/private ecdsa key pair.
a already exists.
Overwrite (y/n)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a good idea, I'll try to figure out how to do it.
Would comments also be a good idea to include?

wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
wxiaoguang
wxiaoguang reviewed Mar 24, 2025
View reviewed changes
modules/ssh/ssh.go Outdated
err := GenKeyPair(setting.SSH.ServerHostKeys[0])
if err != nil {
log.Fatal("Failed to generate private key: %v", err)
for i := range 3 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 3? Why generates all files?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For new default settings and parity with default (rootful) container keys. I'd like to drop it for something better though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swapped it for mirroring ssh-keygen -A behavior to a degree. If no keys were added we generate all 3 and load them instead.

I think it would be better to move it out of if so it always runs as it is a noop if all 6 files exist - only downside is that it sources the default directory from config so if a user for some reason restarts the server with ssh1/gitea.rsa new keys would be generated which is not ideal.

@TheFox0x7 TheFox0x7 force-pushed the generate-additional-ssh-keys branch from 0372c4b to 61f4962 Compare March 25, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin modifies/go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please add openssh-keygen to Dockerfile-rootless
4 participants
@TheFox0x7 @wxiaoguang @techknowlogick @GiteaBot