Manage SSH keys will accept DSA keys even if opensshd is refusing them

[bjj]

• Gitea version (or commit ref): 1.12.0+dev-320-g4a04740da (docker image d0d4dd915d2e)
• Git version:
• Operating system: Docker on a Synology NAS
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

There is no warning if you click "Add Key" and add a valid DSA public key to your account when openssh will not accept it (that has been the default since 7.0). The result is the usual "Permission denied (publickey)" although if you ssh -v you see "not in PubkeyAcceptedKeyTypes".

Screenshots

[CirnoT]

This can be configured in config https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample#L345
Perhaps we should consider updating defaults if that is the case however?

[bjj]

The app.ini.sample says Define allowed algorithms and their minimum key length (use -1 to disable a type) but the code actually merges the config array with a default value ignoring -1:

SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool()
minimumKeySizes := Cfg.Section("ssh.minimum_key_sizes").Keys()
for _, key := range minimumKeySizes {
	if key.MustInt() != -1 {
		SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
	}
}

The default value includes all key types: MinimumKeySizes: map[string]int{"ed25519": 256, "ecdsa": 256, "rsa": 2048, "dsa": 1024}, so it cannot be disabled with -1 as described.

I set it to 99999, which works, but gives this error: Can not verify your SSH key: key length is not enough: got 1024, needs 99999

[zeripath]

The best solution would be if you can find a command which will allow us to query the running sshd server to check whether it would accept a key.

[zeripath]

@bjj that looks like (yet another bug) do you fancy putting up a PR to fix that? - FIXED

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[stale]

This issue has been automatically closed because of inactivity. You can re-open it if needed.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.