Problem Statement: Gitea SSH Access Configuration in LXC Container
Overview
I am experiencing issues configuring Gitea to allow SSH access for cloning and pushing repositories. HTTP access for cloning works correctly. Despite two days of effort, I am unable to get the SSH access working as expected. Here are the details of my setup and the steps I have taken so far.
System Details
Host Environment: Proxmox 8.2.4 LXC Container
Base Image: debian-12-standard 12.2-1_amd64
Default SSH Daemon: The systemās default sshd is installed and running.
Requirements
Gitea Access:
HTTP access for browsing and cloning repositories.
SSH access for cloning and pushing to repositories.
Authentication:
Gitea users have verified ssh keys.
The system root user should also have SSH key login enabled.
No SSL/TLS Certificates:
For simplicity, no certificates should be required for the initial setup.
Steps Taken
Installed Gitea:
Followed the basic installation guide.
Configured Gitea to run on port 80 for HTTP access.
Configured Giteaās SSH service to use port 22.
System SSH Daemon:
Changed the system sshd port to 222 to avoid conflicts with Giteaās SSH service.
SSH Configuration:
Verified that Gitea is listening on port 22.
Ensured SSH key is installed for both system root user
Verified ssh key installed for Gitea user.
Issues Encountered
When attempting to clone a repository using SSH, the following error is encountered:
git@192.168.101.6: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Request for Assistance
I have seen at least four users ask about this problem, but I have not seen a clear resolution. Can someone confirm they can set up Gitea from scratch on a headless `debian-12-standard LXC container via ssh with the following requirements:
SSH Access:
Giteaās SSH service works on port 22.
System sshd moved to a different port (e.g., 222).
HTTP Access:
HTTP access works for browsing and cloning repositories.
User Configuration:
Gitea user has validated ssh key.
The system root user can log in using their SSH key on port 222.
Verification:
HTTP and SSHclone and push of repositories work without requiring certificates.
I would appreciate confirmation that this setup can be successfully completed by following the steps a first-time user would take. Form a clean operating system. Any insights or common pitfalls to avoid would be helpful. Thank you! As fellow sufferers have noted there do not seem to be instructions for installing gitea coexisting with system cli access via ssh. Everyone Iāve seen asking this question has given up.
Why even complicate things with the Gitea SSH? Gitea works fine using the system SSH on the default port. Other than adding unnecessary complications, what do you hope to gain by running another SSH daemon?
If I launch a Debian container on Proxmox, it has sshd running by default. When I install Gitea on it, my understanding (which is limited due to the lack of tutorials or documentation i can find on this topic) is that Gitea installs another ssh service that conflicts with the original sshd. Iāve seen four posts attempting to solve this problem, but none provided a complete answer.
Answers when discussing - donāt seem to distinguish between the two ssh services when discussing solutions, which doesnāt cure any confusion
I appreciate the additional explanation. It has raised my intrigue. Time permitting, if I am able to attempt to recreate the scenario, I will share my findings.
I came across this post as I was experiencing a very similar problem to you (couldnāt use ssh with gitea) and I had almost exactly the same setup except that I had not touched the default sshd setup.
specifically, i setup gitea in a proxmox LXC container using the script at Proxmox VE Helper-Scripts (search gitea). the script from tteck is very new (it was only added on 26 July) and I guess as such may still contain unidentified bugsā¦ the timing of your post makes me wonder if you used the tteck script as well? (in debugging my problem I subsequently believe the tteck script is based off Gitea: Easy Self-Hosted Git Repositories! :: apalrd's adventures)
anyway, using the auto installation script I setup gitea on a Debian 12 system in an unprivileged LXC container. it all seemed to work no issue and I could interact with the web gui. as testing, i created a test repo (in the gui) and could clone through http but NOT sshā¦
after a couple of hours playing around I finally identified my issuesā¦ there was 2. basically ssh was looking for the authorized_keys file in the defined home directory for the gitea user created by the installation script - specifically at /etc/gitea. The .ssh/authorized_keys file did not exist there, rather it existed at /var/lib/gitea/data/.ssh/authorized_keys. To ācounterā this problem I symlinked the actual directory to the one sshd was looking for: sudo -u gitea ln -s /var/lib/gitea/data/.ssh/ /etc/gitea/.ssh. This appeared to work as I started getting a different error. A quick bit of googling suggested this new error was the result of the gitea user not being setup with a shell (the installation script sets it up with /usr/sbin/nologin). I gave the gitea user a shell, chsh -s /usr/bin/bash gitea, tried a git clone again with SSH and it all worked!
Iām not sure if this will fix your problem or if it is related at all but hopefully it helps. The key thing for me in debugging this issue was enabling verbose sshd logging by setting LogLevel DEBUG3 in my sshd_config and following /var/log/auth.log which ultimately showed me where sshd was looking for keys for the gitea userā¦ and that it was the wrong location.
I tried this a week ago hoping it would help. Havenāt had time to post.
I started from a clean Debian container - as above. Because the container console is a tty, I could mask the ssh service before I installed gitea. This should avoid two ssh services
I took a snapshot here. Then continued the install
Reconfigured the system
āÆ git clone gitea@teapot:<me>/test-teapot.git
Cloning into 'test-teapot'...
gitea@192.168.101.6: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Iāll try peopleās other suggestions next - especially the logging and giving the gitea user a shell. I wanted to make the ssh service simple first.
I tried duplicating exactly your process - including creating and installing using the script. Unchanged error for me.
āÆ git clone gitea@192.168.101.5:<me>/test-gitea.git
Cloning into 'test-gitea'...
No ED25519 host key is known for 192.168.101.5 and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists
http clone works.
I installed and verified a key for the user.
Why is it every time i try to set up a tool āto make my life easierā it costs me days and days.
Thanks everyone for your time. Iām going to have to find a different solution.
I had one other problem - my ssh-server package needed to be updated. I wasnāt seeing ssh listening on port 22 - even though journalctl and the service all reported well.
#as root on proxmox Debian bookworm container console
apt update
apt full-upgrade
apt remove --purge openssh-server
apt install openssh-server
#Shows it listening on port 22
ss -tuln4 | grep :22
chsh -s /usr/bin/bash gitea,
su -c "ln -s /var/lib/gitea/data/.ssh/ /etc/gitea/.ssh" gitea
After I gave the gitea user a bash shell and linked the .ssh directory as you suggested
It worked!