From 9fbcdbbd6000b9d317937123ea78d3f0ece5a4b5 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Thu, 15 Jan 2026 15:31:47 +0000 Subject: [PATCH] remove passthrough from the docs --- docs/installation/with-docker.md | 314 ------------------------------- 1 file changed, 314 deletions(-) diff --git a/docs/installation/with-docker.md b/docs/installation/with-docker.md index 6395d935..530b381b 100644 --- a/docs/installation/with-docker.md +++ b/docs/installation/with-docker.md @@ -331,320 +331,6 @@ services: - GITEA__security__INTERNAL_TOKEN=[value returned by generate secret INTERNAL_TOKEN] ``` -## SSH Container Passthrough - -Since SSH is running inside the container, SSH needs to be passed through from the host to the container if SSH support is desired. One option would be to run the container SSH on a non-standard port (or moving the host port to a non-standard port). Another option which might be more straightforward is for Gitea users to ssh to a Gitea user on the host which will then relay those connections to the docker. Alternatively, if the host machine has more than one IP address, the host can listen on one and Gitea on another. - -### Understanding SSH access to Gitea (without passthrough) - -To understand what needs to happen, you first need to understand what happens without passthrough. So we will try to explain this: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`. -3. This entry has the public key, but also has a `command=` option. It is this command that Gitea uses to match this key to the client user and manages authentication. -4. The client then makes an SSH request to the SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -5. The client will attempt to authenticate with the server, passing one or more public keys one at a time to the server. -6. For each key the client provides, the SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the `git` user's `authorized_keys` file. -7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed. -8. The SSH server creates a user session for the `git` user, and using the shell for the `git` user runs the `command=` -9. This runs `gitea serv` which takes over control of the rest of the SSH session and manages gitea authentication & authorization of the git commands. - -Now, for the SSH passthrough to work, we need the host SSH to match the public keys and then run the `gitea serv` on the docker. There are multiple ways of doing this. However, all of these require some information about the docker being passed to the host. - -### SSHing Shim (with authorized_keys) - -In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 9 the `gitea` command that the host runs is a shim that actually runs ssh to go into the docker and then run the real docker `gitea` itself. - -- To make the forwarding work, the SSH port of the container (22) needs to be mapped to the host port 2222 in `docker-compose.yml` . Since this port does not need to be exposed to the outside world, it can be mapped to the `localhost` of the host machine: - - ```yaml - ports: - # [...] - - "127.0.0.1:2222:22" - ``` - -- Next on the host create the `git` user which shares the same `UID`/ `GID` as the container values `USER_UID`/ `USER_GID`. These values can be set as environment variables in the `docker-compose.yml`: - - ```yaml - environment: - - USER_UID=1000 - - USER_GID=1000 - ``` - -- Mount `/home/git/.ssh` of the host into the container. This ensures that the `authorized_keys` file is shared between the host `git` user and the container `git` user otherwise the SSH authentication cannot work inside the container. - - ```yaml - volumes: - - /home/git/.ssh/:/data/git/.ssh - ``` - -- Now a SSH key pair needs to be created on the host. This key pair will be used to authenticate the `git` user on the host to the container. As an administrative user on the host run: (by administrative user we mean a user that can sudo to root) - - ```bash - sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" - ``` - -- Please note depending on the local version of ssh you may want to consider using `-t ecdsa` here. - -- `/home/git/.ssh/authorized_keys` on the host now needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add the public key of the key you created above ("Gitea Host Key") to `/home/git/.ssh/authorized_keys`. As an administrative user on the host run: - - ```bash - sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys - sudo -u git chmod 600 /home/git/.ssh/authorized_keys - ``` - - Important: The pubkey from the `git` user needs to be added "as is" while all other pubkeys added via the Gitea web interface will be prefixed with `command="/usr [...]`. - - `/home/git/.ssh/authorized_keys` should then look somewhat like - - ```bash - # SSH pubkey from git user - ssh-rsa - - # other keys from users - command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty - ``` - -- The next step is to create the fake host `gitea` command that will forward commands from the host to the container. The name of this file depends on your version of Gitea: - - - For Gitea v1.16.0+. As an administrative user on the host run: - - ```bash - cat <<"EOF" | sudo tee /usr/local/bin/gitea - #!/bin/sh - ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" - EOF - sudo chmod +x /usr/local/bin/gitea - ``` - -Here is a detailed explanation what is happening when a SSH request is made: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`. - - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too. -3. This entry has the public key, but also has a `command=` option. - - This command matches the location of the Gitea binary on the container, but also the location of the shim on the host. -4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host. -6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file. - - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found -7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed. -8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=` -9. This means that the host runs the host `/usr/local/bin/gitea` shim that opens an SSH from the host to container passing the rest of the command arguments directly to `/usr/local/bin/gitea` on the container. -10. Meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands. - -**Notes** - -SSH container passthrough using `authorized_keys` will work only if - -- `opensshd` is used in the container -- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation -- `LOCAL_ROOT_URL` is not changed (depending on the changes) - -If you try to run `gitea` on the host, you will attempt to ssh to the container and thence run the `gitea` command there. - -Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface. - -### SSHing Shell (with authorized_keys) - -In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 8 above we change the shell that the host runs to ssh directly into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`. - -- In this case we setup as per SSHing Shim except instead of creating `/usr/local/bin/gitea` -we create a new shell for the git user. As an administrative user on the host run: - - ```bash - cat <<"EOF" | sudo tee /home/git/ssh-shell - #!/bin/sh - shift - ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@" - EOF - sudo chmod +x /home/git/ssh-shell - sudo usermod -s /home/git/ssh-shell git - ``` - - Be careful here - if you try to login as the git user in future you will ssh directly to the docker. - -Here is a detailed explanation what is happening when a SSH request is made: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`. - - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too. -3. This entry has the public key, but also has a `command=` option. - - This command matches the location of the Gitea binary on the container. -4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host. -6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file. - - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found -7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed. -8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=` -9. The shell of the host `git` user is now our `ssh-shell` which opens an SSH connection from the host to container, (which opens a shell on the container for the container `git`). -10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands. - -**Notes** - -SSH container passthrough using `authorized_keys` will work only if - -- `opensshd` is used in the container -- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation -- `LOCAL_ROOT_URL` is not changed (depending on the changes) - -If you try to login as the `git` user on the host in future you will ssh directly to the docker. - -Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface. - -### Docker Shell (with authorized_keys) - -Similar to the above ssh shell technique we can use a shell which simply uses `docker exec`. As an administrative user on the host run: - -```bash -cat <<"EOF" | sudo tee /home/git/docker-shell -#!/bin/sh -/usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@" -EOF -sudo chmod +x /home/git/docker-shell -sudo usermod -s /home/git/docker-shell git -``` - -Here is a detailed explanation what is happening when a SSH request is made: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`. - - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too. -3. This entry has the public key, but also has a `command=` option. - - This command matches the location of the Gitea binary on the container. -4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host. -6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file. - - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found -7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed. -8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=` -9. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container. -10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands. - -Note that `gitea` in the docker command above is the name of the container. If you named yours differently, don't forget to change that. The host `git` user also has to have -permission to run `docker exec`. - -**Notes** - -Docker shell passthrough using `authorized_keys` will work only if - -- `opensshd` is used in the container -- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation -- `LOCAL_ROOT_URL` is not changed (depending on the changes) - -If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker. - -A Docker execing shim could be created similarly to above. - -### Docker Shell with AuthorizedKeysCommand - -The AuthorizedKeysCommand route provides another option that does not require many changes to the compose file or the `authorized_keys` - but does require changes to the host `/etc/sshd_config`. - -In this option, the idea is that the host SSH uses an `AuthorizedKeysCommand` instead of relying on sharing the `authorized_keys` file that gitea creates. We continue to use a special shell at step 8 above to exec into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`. - -- On the host create a `git` user with permission to run `docker exec`. -- We will again assume that the Gitea container is called `gitea`. -- Modify the `git` user's shell to forward commands to the `sh` executable inside the container using `docker exec`. As an administrative user on the host run: - - ```bash - cat <<"EOF" | sudo tee /home/git/docker-shell - #!/bin/sh - /usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@" - EOF - sudo chmod +x /home/git/docker-shell - sudo usermod -s /home/git/docker-shell git - ``` - -Now all attempts to login as the `git` user on the host will be forwarded to the docker - including the `SSH_ORIGINAL_COMMAND`. We now need to set-up SSH authentication on the host. - -We will do this by leveraging the [SSH AuthorizedKeysCommand](../administration/command-line.md#keys) to match the keys against those accepted by Gitea. - -Add the following block to `/etc/ssh/sshd_config`, on the host: - -```bash -Match User git - AuthorizedKeysCommandUser git - AuthorizedKeysCommand /usr/bin/docker exec -i -u git gitea /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k -``` - -(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.) - -Finally restart the SSH server. As an administrative user on the host run: - -```bash -sudo systemctl restart sshd -``` - -Here is a detailed explanation what is happening when a SSH request is made: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea in the container will add an entry for this key to its database. -3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host. -5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`. -6. The host runs the above `AuthorizedKeysCommand`, which execs in to the docker and then runs the `gitea keys` command. -7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command. -8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container. -9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`. -10. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container. -11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands. - -**Notes** - -Docker shell passthrough using `AuthorizedKeysCommand` will work only if - -- The host `git` user is allowed to run the `docker exec` command. - -If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker. - -A Docker execing shim could be created similarly to above. - -### SSH Shell with AuthorizedKeysCommand - -Create a key for the host `git` user as above, add it to the docker `/data/git/.ssh/authorized_keys` then finally create and set the `ssh-shell` as above. - -Add the following block to `/etc/ssh/sshd_config`, on the host: - -```bash -Match User git - AuthorizedKeysCommandUser git - AuthorizedKeysCommand /usr/bin/ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k -``` - -(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.) - -Finally restart the SSH server. As an administrative user on the host run: - -```bash -sudo systemctl restart sshd -``` - -Here is a detailed explanation what is happening when a SSH request is made: - -1. The client adds their SSH public key to Gitea using the webpage. -2. Gitea in the container will add an entry for this key to its database. -3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`. -4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host. -5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`. -6. The host runs the above `AuthorizedKeysCommand`, which will SSH in to the docker and then run the `gitea keys` command. -7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command. -8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container. -9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`. -10. The shell of the host `git` user is now our `git-shell` which uses SSH to open a shell for the `git` user on the container. -11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands. - -**Notes** - -SSH container passthrough using `AuthorizedKeysCommand` will work only if - -- `opensshd` is running on the container - -If you try to login as the `git` user on the host in future you will `ssh` directly to the docker. - -Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface. - -SSHing shims could be created similarly to above. - ### SSH with multiple IP addresses This assumes that the host machine has more than one reachable IP address: `192.168.1.1` (host) `192.168.1.2` (gitea) On the host machine, configure SSHD in `/etc/ssh/sshd_config` to listen on one IP address `ListenAddress 192.168.1.1`. In the compose file the SSH port forwarding then needs to be changed to `"192.168.1.2:22:22"`. The port forwarding needs to be adjusted similarily for all other forwarded ports to avoid problems with DNS.