Repository permissions

I set up Gitea (to test once on FreeBSD and once on Windows) and created a test repo on each.

I cannot figure out how to set permissions on the repos and how to connect to the repos via git as a specific user.

On FreeBSD the ssh URL uses the user “git” for some reason and on Windows “gitea$” (a version of the service account without the domain). Then it asks for a password. I don’t know the password for the git account and the gMSA doesn’t have a (knowable) password, so that doesn’t make a lot of sense.

But I noticed that using the http URL absolutely anybody can clone/push/pull any repo, not just the owner.

What am I doing wrong? How can I configure a repo to be accessible by specific users only and how do I tell gitea which user I am when I connect via git?

You can change a repository to private on your repository settings tab.

I did that. But where can I set permissions on the repo?

When I try to connect to it using my user “hubert” (who is a “collaborator” to write), it tells me the following:

PS C:\Users\ajbrehm\source\repos\quest> git push wgiteah
hubert@wgitea’s password:
fatal: ‘‘ajbrehm/quest.git’’ does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Apparently the ssh user is not related to the Gitea user (it’s a domain account) and hence Gitea doesn’t know which permissions it should have. (I tried with an account that existed in Gitea but not in AD and it didn’t even accept the password.)

The odd thing is that Gitea proposes using the gitea service account for ssh connections which makes no sense at all to me, since Gitea wouldn’t know who it really is and since developers would obviously not know that account’s password…

I must be overlooking something obvious.

Using http and Git Credential Manager it appears to work.

It seems like Gitea’s ssh support is just strange.

I think you have a different problem than you expect.
It sounds rather like your SSH key is not whitelisted by SSH, so it tries to fallback to password authentication (which you obviously should not have)

I must be overlooking something obvious.

Unfortunately only to some extent.
SSH is inherently the part of Gitea that produces the most bugs, and there is no way around it.

As to your other question with the service account:
That’s because Gitea essentially “hijacks” your SSH session and looks into its own database if the key is known rather than storing that key directly with SSH.
So you should not need to know the password of the git account.

1 Like

I was using password auth to test before setting up the keys.

But it does seem to work with http, so all is good.