Commit Graph

15 Commits

Author SHA1 Message Date
zeripath
0ada74edbc
Only offer hostcertificates if they exist (#15849)
A common bug report is the otherwise harmless sshd logging:

```
Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
```

This PR simply checks if these files exist before creation of sshd_config and if
they do not exist, doesn't add a reference to them.

Fix #14110 amongst others.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-05-13 15:11:28 +03:00
Lauris BH
044cd4d016
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation

* Trust all IP addresses in containerized environments by default

* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-03-16 00:27:28 +02:00
Lunny Xiao
0cd87d64ff
Update docs and comments to remove macaron (#14491) 2021-01-29 16:35:30 +01:00
Anders Eurenius Runvald
01f991ac88
Update sshd_config (#13143)
Afaik, adding these lines does nothing unless the file(s) are present. Having them in let's admins supply certs instead of relying on TOFU.

Co-authored-by: zeripath <art27@cantab.net>
2020-10-14 13:01:11 -04:00
Wim
9066d09c57
Add ssh certificate support (#12281)
* Add ssh certificate support

* Add ssh certificate support to builtin ssh

* Write trusted-user-ca-keys.pem based on configuration

* Update app.example.ini

* Update templates/user/settings/keys_principal.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Remove unused locale string

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* Add missing creation of SSH.Rootpath

* Update cheatsheet, example and locale strings

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

* Optimizations based on feedback

* Validate CA keys for external sshd

* Add filename option and change default filename

Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem

Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.

Add some more documentation.

* Remove unneeded principalkey functions

* Add blank line

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option

This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.

To allow anything the admin need to set the option anything.

This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).

This commit also has some small other fixes from the last code review.

* Rewrite principal keys file on user deletion

* Use correct rewrite method

* Set correct AuthorizedPrincipalsBackup default setting

* Rewrite principalsfile when adding principals

* Add update authorized_principals option to admin dashboard

* Handle non-primary emails

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Add the command actually to the dashboard template

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* By default do not show principal options unless there are CA keys set or they are explicitly set

Signed-off-by: Andrew Thornton <art27@cantab.net>

* allow settings when enabled

* Fix typos in TrustedUserCAKeys path

* Allow every CASignatureAlgorithms algorithm

As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA

* Update models/ssh_key.go

Co-authored-by: Lauris BH <lauris@nix.lv>

* Fix linting issue

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-10-10 20:38:09 -04:00
zeripath
d65cd5677a
Change default log configuration (#13088)
* Change default log configuration

This PR changes the install page and the docker default
logging configuration to match the suggested configuration
that I repeatedly end up suggesting on issues.

It further improves the logging configuration docs to
recommend specific instructions for how to configure logs
for posting to issues.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/logging-documentation.en-us.md
2020-10-10 18:19:50 +03:00
zeripath
ea69ec6f0f
Disable DSA ssh keys by default (#13056)
* Disable DSA ssh keys by default

OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to #11417

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Just disable DSA keys by default

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove DSA type

* Fix Tests

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-10-09 09:52:57 +03:00
Adrian POIGET
99082eebd7
Fix; declare DOMAIN variable for docker setup (#10780)
In the /install form, the value for SSH Server Domain is taken form the DOMAIN variable
and overwrites SSH_DOMAIN environment variable set the first time if nothing done

Co-authored-by: Adrian POIGET <adrian.poiget@viveris.fr>
2020-05-04 10:50:29 +01:00
zeripath
0a96e59884 Fix #8453 by making openssh listen on SSH_LISTEN_PORT not SSH_PORT (#8477) 2019-10-12 23:45:00 +08:00
jpellegrini
852b8e2d81 Make AllowedUsers configurable in sshd_config (#8094)
docker/root/usr/bin/entrypoint already allows for the specification
of USER, USER_UID, USER_GID. But since AllowedUsers is hardcoded in
sshd_config, one cannot log in as a user different ftom git.
This change substitutes ${USER} for git in the sshd_config template.

Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
2019-09-05 22:20:55 +02:00
leigh capili
70d2244e49 Support SSH_LISTEN_PORT env var in docker app.ini template (#7829)
Signed-off-by: leigh capili <leigh@null.net>
2019-08-24 01:44:24 +02:00
Christopher Thomas
75d4414386 Implement the ability to change the ssh port to match what is in the gitea config (#7286)
* - rearrange the templates to make it more logical because now ssh_config is a template
- implemented the updating of the port to the same as the port sent to the gitea config

* change the filename back
2019-07-06 21:57:53 -04:00
Marat Radchenko
e07ff2f890 [docker] Add LFS_START_SERVER option to control git-lfs support (#7281) 2019-06-24 01:33:56 -04:00
Sergey Dryabzhinsky
3fd18838aa Repository avatars (#6986)
* Repository avatars

- first variant of code from old work for gogs
- add migration 87
- add new option in app.ini
- add en-US locale string
- add new class in repository.less

* Add changed index.css, remove unused template name

* Update en-us doc about configuration options

* Add comments to new functions, add new option to docker app.ini

* Add comment for lint

* Remove variable, not needed

* Fix formatting

* Update swagger api template

* Check if avatar exists

* Fix avatar link/path checks

* Typo

* TEXT column can't have a default value

* Fixes:

- remove old avatar file on upload
- use ID in name of avatar file - users may upload same files
- add simple tests

* Fix fmt check

* Generate PNG instead of "static" GIF

* More informative comment

* Fix error message

* Update avatar upload checks:

- add file size check
- add new option
- update config docs
- add new string to en-us locale

* Fixes:

- use FileHEader field for check file size
- add new test - upload big image

* Fix formatting

* Update comments

* Update log message

* Removed wrong style - not needed

* Use Sync2 to migrate

* Update repos list view

- bigger avatar
- fix html blocks alignment

* A little adjust avatar size

* Use small icons for explore/repo list

* Use new cool avatar preparation func by @lafriks

* Missing changes for new function

* Remove unused import, move imports

* Missed new option definition in app.ini

Add file size check in user/profile avatar upload

* Use smaller field length for Avatar

* Use session to update repo DB data, update DeleteAvatar - use session too

* Fix err variable definition

* As suggested @lafriks - return as soon as possible, code readability
2019-05-29 22:22:26 -04:00
Jakob Ackermann
dab38c375d [docker] drop the docker Makefile from the image (#6507) 2019-05-05 22:49:32 -04:00