deploy key duplicates are messing with ssh authentication

[adrian-amaglio]

• Gitea version (or commit ref): docker gitea/gitea:1.7.1
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

• I have two ssh keys for two nodes : A and B
• I add A as a deploy key on a project P1: I can pull
• I add B as a deploy key on a project P2: I can pull
• I add A as a deploy key on a project P3: I can’t pull !

What is happening in the database

I can list my deploy keys in the postgresql database :

  id | key_id | repo_id |       name       |                    fingerprint                     | mode | created_unix | updated_unix 
----+--------+---------+------------------+----------------------------------------------------+------+--------------+--------------
  1 |      2 |       3 | cd               | SHA256:KEY_A_FINGERPRINT                           |    1 |   1565707072 |   1565735452
  4 |      3 |       8 | B@b.net          | SHA256:KEY_B_FINGERPRINT                           |    2 |   1566288768 |   1566289144
  6 |      5 |       8 | ansible@somehost | SHA256:KEY_A_FINGERPRINT                           |    2 |   1566289506 |   1566289506

We can see the key A was used in two different repo with different names.

What is happening in gitea

Now lets check the logs in the gitea container:

Aug 20 08:29:21 sshd[76]: Accepted publickey for git from <some-ip> port 47246 ssh2: RSA SHA256:KEY_A_FINGERPRINT
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repo/adrian/dns for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repo/adrian/dns 200 OK in 4.595033ms
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/ssh/2 for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/ssh/2 200 OK in 2.215019ms
[Macaron] 2019-08-20 08:29:22: Started GET /api/internal/repositories/8/has-keys/2 for 127.0.0.1
[Macaron] 2019-08-20 08:29:22: Completed GET /api/internal/repositories/8/has-keys/2 404 Not Found in 1.535969ms
Aug 20 08:29:22 sshd[78]: Received disconnect from <some-ip> port 47246:11: disconnected by user
Aug 20 08:29:22 sshd[78]: Disconnected from user git <some-ip> port 47246

So gitea is trying to authenticate me with the key id 2, which is the good key, but for my project /adrian/dns (id 8) its id is 5!
And this is why I can’t pull…

Reproductibility

I tried to create two repositories and add the same key twice on https://try.gitea.io/test_adrian but it worked fine.
I don’t know what information is missing to reproduce the bug…

[zeripath]

This was fixed in 1.8+ by #5939 and 1.7.2+ by #5966

[zeripath]

Please upgrade from 1.7.1 there are multiple security issues in such an old Gitea.

[adrian-amaglio]

Thanks ! Sorry for the inconvenience.