Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing the pubkey to ssh-keygen is sufficient to verify an SSH signing key #28505

Closed
Ma27 opened this issue Dec 18, 2023 · 2 comments · Fixed by #28509
Closed

Passing the pubkey to ssh-keygen is sufficient to verify an SSH signing key #28505

Ma27 opened this issue Dec 18, 2023 · 2 comments · Fixed by #28509
Labels
type/bug

Comments

@Ma27
Copy link

Ma27 commented Dec 18, 2023

Description

When verifying an SSH key to use it for signatures, gitea instructs to pipe a token to ssh-keygen -Y sign -n gitea -f /path_to_your_privkey:

https://github.com/go-gitea/gitea/blob/v1.21.2/templates/user/settings/keys_ssh.tmpl#L81

This is however not doable when the private key is on e.g. a smartcard (like a YubiKey) and SSH is done via an agent (which is what most people are probably doing anyways regardless of whether they use a hardware token).

In (at least) cases like this you can/need to pass the file containing the public key to ssh-keygen and the agent takes care of the rest.

Since this was changed from pubkey to private key in #20112 (cc @rluetzner @6543 @wxiaoguang ) I decided to not just revert it, but file a bug to discuss this first.

Ideally, it should be explained in the UI here that both variants are possible or link to appropriate docs.

Gitea Version

1.21.2

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

NixOS 23.05

How are you running Gitea?

I deploy gitea on NixOS with the NixOS module.
This is not relevant to the issue itself because the instructions for verifying an SSH key are always the same.

Database

PostgreSQL
@Ma27 Ma27 added the type/bug label Dec 18, 2023
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2023
edited
Loading

No idea why Gitea should explain everything on its UI, since users should figure out how to use SSH-related (all including any third-party) tools independently, by reading their manual carefully (man ssh-keygen) or learn from some official tutorials.

To sign, the private key should always be used, while ssh-keygen could find/use the private key by public key through the agent.

Maybe the simplest approach is to change the prompt to path_to_your_PrivateKey_or_AgentPublicKey

@Ma27
Copy link
Author

Ma27 commented Dec 18, 2023

I wouldn't expect a lot of people to know precisely how singing via ssh-keygen works. And this is a security feature at the end of the day, so I think a bit of help is a good thing here (gitea already demonstrates how to sign the token in the first place). I mean, one of the reasons why many people dislike GPG is because it's extremely inconvenient to use, so assistance is a good thing here.

To sign, the private key should always be used, while ssh-keygen could find/use the private key by public key through the agent.

correct.

Maybe the simplest approach is to change the prompt to path_to_your_PrivateKey_or_AgentPublicKey

Yeah, agreed.

@wxiaoguang wxiaoguang mentioned this issue Dec 18, 2023
Merged
lunny pushed a commit that referenced this issue Dec 18, 2023
@wxiaoguang
Improve the prompt for "ssh-keygen sign" (#28509)
bf8b082 
Close #28505, ref:
* #20112 (comment)
* #28505 (comment)
@GiteaBot GiteaBot mentioned this issue Dec 18, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Dec 18, 2023
@wxiaoguang @GiteaBot
Improve the prompt for "ssh-keygen sign" (go-gitea#28509)
1de37ce 
Close go-gitea#28505, ref:
* go-gitea#20112 (comment)
* go-gitea#28505 (comment)
wxiaoguang added a commit that referenced this issue Dec 18, 2023
@GiteaBot @wxiaoguang
Improve the prompt for "ssh-keygen sign" (#28509) (#28510)
4462628 
Backport #28509 by wxiaoguang

Close #28505

Co-authored-by: wxiaoguang <[email protected]>
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@wxiaoguang @fuxiaohei
Improve the prompt for "ssh-keygen sign" (go-gitea#28509)
5fc73c2 
Close go-gitea#28505, ref:
* go-gitea#20112 (comment)
* go-gitea#28505 (comment)
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2024
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@wxiaoguang @silverwind
Improve the prompt for "ssh-keygen sign" (go-gitea#28509)
764b3b7 
Close go-gitea#28505, ref:
* go-gitea#20112 (comment)
* go-gitea#28505 (comment)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve the prompt for "ssh-keygen sign" wxiaoguang/gitea
2 participants
@wxiaoguang @Ma27