Kernel version | Linux DietPi 5.10.103-v8+ #1529 SMP PREEMPT Tue Mar 8 12:26:46 GMT 2022 aarch64 GNU/Linux
SBC model | RPi4
Power supply used | Official 5A supply
SD card used | Sandisk ultra
Additional Information (if applicable)
Software title | gitea
Was the software title installed freshly or updated/migrated? New Install
Can this issue be replicated on a fresh installation of DietPi? Unsure
Steps to reproduce
Add a user & their SSH key.
Create a repo.
Add it as an SSH remote to a client.
Attempt to push.
Cannot push/pull to repos via Gitea if authenticating using SSH.
The client insists on asking for a password to the remote host. No password works and the server (dropbear) logs a User account 'gitea' is locked each time I make an attempt.
HTTP auth works fine.
The keypair works on Github so I trust that is working fine. I also use the same keypair when SSHing into the RPi itself, with no apparent issues.
Multiple clients with different keys hit the same problem.
At first I thought it was because I had routed Gitea through an NGINX reverse proxy, but even after removing that, I have the same issue.
My symptoms sound the same as Troubles SSHing to Gitea, but I don’t get the same error from Dropbear (just the account locked message), or any other errors from Gitea. I tried giving gitea shell access anyway, but it didn’t help.
OK, it turned out to be a couple issues from the combo of Gitea and Dropbear on Dietpi:
The dropbear version shipped with dietpi is quite old, and doesn’t support the fairly standard ed25519 keytype. RSA keys also didn’t work because they are disabled on most clients. I had to override the clients to allow +ssh-rsa, which isn’t secure, but is fine on my local only install. I’d recommend updating the Dropbear shipped in Dietpi to a version that can handle more recent SSH key types.
I had already tried it, but verified that the Gitea user needs shell access as described in the other thread. It would be great if this wasn’t necessary but I don’t know enough about how Gitea works to tighten it up otherwise.