#2457: enable ssh git on gitea
---------------------------+-----------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Keywords:
---------------------------+-----------------------
Some folks would prefer using ssh for git and their ssh key.
This is something github offers and something gitea offers as well.
We have it disabled on gitea though..
I'd like to enable it using gitea's internal ssh server.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
---------------------------+------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by robe):
I've enabled it on gitea dev instance. Steps I did to enable it
in the /home/git/gitea/custom/app.ini
I changed the following lines
{{{
[server]
DISABLE_SSH = false
SSH_PORT = 3002
START_SSH_SERVER = true #this one I had to add
SSH_DOMAIN = dev.git.osgeo.org
}}}
then do
{{{
service gitea restart
}}}
On osgeo4 host whitelisted that port and added tracsvn-dev as proxy
{{{
ufw allow 3002 comment "tracsvn gitea ssh"
lxc config device add tracsvn-dev proxyportgiteassh proxy
listen=tcp:140.211.15.32:3002 connect=tcp:127.0.0.1:3002 bind=host
}}}
Then to test I logged into https://dev.gitea.osgeo.org/gitea - went to
settings and added my ssh public key to my profile
Then from my local computer did below and also did a test commit
{{{
git clone ssh://git@dev.git.osgeo.org:3002/postgis/postgis.git postgis-dev
}}}
I went back to https://dev.gitea.osgeo.org/gitea and it showed on my
profile next to my public key "Last used on May 09, 2020"
To change an existing dev repo I had I did this
{{{
git remote set-url origin
ssh://git@dev.git.osgeo.org:3002/postgis/postgis.git
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
---------------------------+------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by strk):
I don't like the custom port. Would be nice to be able to craft something
with the host's SSH server. I suspect it's possible without too much
hassle.
Also please see ticket #2116 for a way to use LDAP for ssh keys as well
(Gitea does support that):
https://github.com/go-gitea/gitea/pull/1844
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
---------------------------+------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by strk):
Now that SSH keys can be stored in LDAP (#2116) we should enable Gitea
syncing of those keys from LDAP.
See https://github.com/go-
gitea/gitea/blob/master/custom/conf/app.ini.sample#L874 for instructions
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Gitea | Resolution:
Keywords: |
--------------------+------------------------
Changes (by strk):
* owner: sac@… => strk
* component: Systems Admin => Gitea
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Gitea | Resolution:
Keywords: |
--------------------+------------------------
Comment (by strk):
Regina: I see that the app.ini for gitea was changed (JWT_SECRET) but the
change was not committed to the git repository. Was the change yours ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Changes (by strk):
* milestone: Unplanned => Sysadmin Contract 2020-II
Comment:
I'm working on this. We will use the existing ssh server, so there's no
need to find another free TCP port. And we'll fetch ssh keys from LDAP.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
We need an IP to proxy to tracsvn which is different from the IP we proxy
to download.
At this moment download and tracsvn have the same IP (ending with 30). I
dunno where the 32 address came from, in your experiments, Regina. Did you
change the DNS record to assign 32 to git.osgeo.org when doing that
experimentation ?
For the record: once we enable ssh we might want to change the settings
page template to forbid adding/removing ssh key from gitea interface (and
rather redirect to the LDAP page for that).
See https://github.com/go-gitea/gitea/issues/13983
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
There's also a problem with multiple SSH keys: https://github.com/go-
gitea/gitea/issues/13984
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
For the IP, I think it's ok to use the ldap.osgeo.org IP for tracsvn, as
suggested in https://trac.osgeo.org/osgeo/ticket/2116#comment:9
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
The SSH keys problem requires reviewing the way keys are stored in LDAP
(#2542)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
LDAP ssh keys storage was fixed. Support for multiple SSH keys from LDAP
was added in Gitea, so we'll need to upgrade it as soon as a new release
including that change is published. Failing that we'll only be able to use
a single ssh key, which we don't want.
Other things to do about this ticket would be providing custom templates
to avoid being able to _delete_ ssh keys from Gitea, and make the "Add"
button redirect you to LDAP account editing (to work around
https://github.com/go-gitea/gitea/issues/13983)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:11>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
Templating work done with https://git.osgeo.org/gitea/sac/gitea-
config/commit/36d5d4c7a14763906b052ab472486816f01850c7
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:12>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
Preparation of nginx for the IP switch of git.osgeo.org is proposed here:
https://git.osgeo.org/gitea/sac/ansible-deployment/pulls/2
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:13>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
IP reorganization is proposed in #2549
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:14>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution:
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
IP assignment is done. Next I'd like to test the ssh key enabling in
staging.
I've enabled SSH with external server (openssh) on dev.git.osgeo.org, but
port 22 is already listened on 140.211.15.32 for the "hop" container so
it's again configured to use 3002 as the external port. For some reason
though I cannot connect to that port from the outside (I get a timeout).
It works from osgeo4:
{{{
tech_dev@osgeo4:~$ nc -vz 140.211.15.32 3002
Connection to 140.211.15.32 3002 port [tcp/*] succeeded!
}}}
it hangs from osgeo7:
{{{
tech_dev@osgeo7:~$ nc -vz 140.211.15.32 3002
nc: connect to 140.211.15.32 port 3002 (tcp) failed: Connection timed out
}}}
Any idea why ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:15>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution: fixed
Keywords: |
--------------------+----------------------------------------
Changes (by strk):
* status: new => closed
* resolution: => fixed
Comment:
Nevermind, I went directly to production and it works fine.
https://git.osgeo.org/gitea/sac/gitea-
config/commit/2995685682eb15369c81fb9449285a7c2cd9fb2e
was pushed using ssh, with keys fetched from LDAP and default SSH port \o/
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:16>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2457: enable ssh git on gitea
--------------------+----------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Gitea | Resolution: fixed
Keywords: |
--------------------+----------------------------------------
Comment (by strk):
For the record: https://git.osgeo.org/gitea/sac/ansible-
deployment/commit/0f9b923d164db527f903035635ea22b236b95916 added the ssh
proxy port
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2457#comment:17>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.