Specify work-path in SSH authorized keys

[Gusted]

• This should prevent SSH failures from happening as described in Warn on SSH connection for incorrect configuration #19317

[zeripath]

I think this is a bodge but I guess we have to do it. It would be better to not have to depend on the work-path at all in when using gitea serv/hook and I'm surprised that this has sneaked in once again.

[zeripath]

I'll say this again:

I don't immediately understand why the work-path is even needed in gitea serv and I would much rather it was not necessary.

If anyone can determine why this has happened it would be very helpful because I'd rather get rid of this requirement COMPLETELY instead of adding more crap to the authorized_keys.

There may be a lot of keys in the authorized_keys file and this will make that file bigger and slower to parse. Whilst the authorizedkeyscommand functionality exists precisely to avoid slowdowns here - many people will not be aware and I'm fairly sure that our dockers still use authorized_keys instead of that command.

[wxiaoguang]

I don't immediately understand why the work-path is even needed in gitea serv and I would much rather it was not necessary.

I do not understand either, is there any detailed comment about why the SSH failures happens?

If it's a rare case, site admin could fine tune the config according to the document: "Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath", there are even more options for them.

[lunny]

RepoRootPath's default value depending on AppDataPath, AppDataPath's default value depending on AppWorkPath.

[wxiaoguang]

RepoRootPath's default value depending on AppDataPath, AppDataPath's default value depending on AppWorkPath.

Yup, there are too many path configs in Gitea's config system.

The question is: by default, these paths just work, the WorkPath is also auto detected by Gitea's binary file.

In my opinion, if and only if a site admin:

• put Gitea binary in a separate directory
• use relative path in app.ini
• set WorkPath by env to start gitea web
• then all other gitea commands also need to set WorkPath too.

In this case:

• The site admin should be able to set SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE to a correct value with -w manually
• All other gitea commands (like doctor?) also need to set the -w accordingly (but not only the serv)
• Adding more default cli arguments to SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE seems not resolving the problem fundamentally (there are other commands ....)
• To make the problem clear, from Gitea side:
  • Like 19317, add a clear error message to tell the user to use absolute paths in app.ini
  • Improve documents, tell users how to deal with such sitution if they use relative path in app.ini
  • Detect and deprecate relative paths in app.ini if the WorkPath doesn't match the binary path, or make Gitea accept WorkPath from config, then only one -c argument is needed for all cases.

That's why I think it's not necessary to make SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE more complex at the moment. Just my opinion, not blocker. Correct me if I am wrong.

[lunny]

Since the file is controlled by Gitea, I think we can merge this at the moment. And we can rewrite it after all paths have adjusted.

[lunny]

Please resolve the conflicts.

[zeripath]

How about we attempt to see if the AppDataPath is dependent on the WorkPath and only if it is dependent should we add the work-path option?

[techknowlogick]

Blocking per @zeripath 's comment. Mergers please feel free to dismiss this as needed. Just needed to set the blocker so it isn't merged without the additional investigation requested.

[wxiaoguang]

Quote my comments here (and close this one)

#23301 (comment)

#23301 (comment)

Instead of hacking and patching, we need a fundamental solution.