ansible-role-gitea
ansible-role-gitea copied to clipboard
thomas-maurice
Fix git ssh operations when using system sshd
If you use the system sshd the /bin/false shell will result in mysterios erros when trying to clone a repository, because /bin/false can not provide a login shell to enable ssh to execute commands.
Please refere tohttps://man.openbsd.org/sshd - Section Login Process
"9. Runs user's shell or command. All commands are run under the user's login shell as specified in the system password database."
Hey @firesoft-de ! Could you give me an example of cryptic error you get when using the system's sshd ?
To clarify: cryptic because there is not a single error code or reasonable error message to start debugging from.
The only information you get is from git:
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
auth.log, gitea.log or syslog doesn't provide anything. This is because the connection via ssh is successfully established and authentication checks are passed. This might be the reason why there are no log entries.
The only clue is that you can not start a shell (for obvious reasons).
If I remember correctly '/bin/false' is enough for the gitea when it uses the gitea built in ssh server. That's why I think this is a built-in default variable that can be customized.
Maybe it would be better to mention this more explicitly in the README?
https://github.com/thomas-maurice/ansible-role-gitea/blob/d3ab000e547ae7db3a3d49ff04d0efd6f7477922/defaults/main.yml#L12
I have never used the built in ssh server from gitea so this is all guessed....
Just noticed I forgot the second part of the commit. Sorry for that.
I've added a when statement to only activate the task when the user DOESN'T want to use the builtin server. This should keep the security aspect of using /bin/false in the builtin scenario and also provides a more out-of-the-box-solution for users with the system ssh server.
@DO1JLR Better?