You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/content/doc/installation/with-docker.en-us.md
+14-8Lines changed: 14 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -317,15 +317,15 @@ To understand what needs to happen, you first need to understand what happens wi
317
317
4. The client then makes an SSH request to the SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
318
318
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the server.
319
319
6. For each key the client provides, the SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the `git` user's `authorized_keys` file.
320
-
7. The first entry that matches will be selected, and asssuming this is a Gitea entry, the `command=` will now be executed.
320
+
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
321
321
8. The SSH server creates a user session for the `git` user, and using the shell for the `git` user runs the `command=`
322
322
9. This runs `gitea serv` which takes over control of the rest of the SSH session and manages gitea authentication & authorization of the git commands.
323
323
324
324
Now, for SSH passthrough to work we need the host SSH to match the public keys but then run the `gitea serv` on the docker. There are multiple ways of doing this - however, all of these require some information about the docker being passed to the host.
325
325
326
326
### SSHing Shim (with authorized_keys)
327
327
328
-
In this option, the idea here is that the host simply uses the `authorized_keys` that gitea creates but at step 9 the `gitea` command that the host runs is a shim that actually runs ssh to go into the docker and then run the real docker `gitea` itself.
328
+
In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 9 the `gitea` command that the host runs is a shim that actually runs ssh to go into the docker and then run the real docker `gitea` itself.
329
329
330
330
- To make the forwarding work, the SSH port of the container (22) needs to be mapped to the host port 2222 in `docker-compose.yml` . Since this port does not need to be exposed to the outside world, it can be mapped to the `localhost` of the host machine:
331
331
@@ -343,7 +343,7 @@ In this option, the idea here is that the host simply uses the `authorized_keys`
343
343
- USER_GID=1000
344
344
```
345
345
346
-
- Mount `/home/git/.ssh` of the host into the container. This ensures that the `authorized_keys` file is shared between the host `git` user and the container `git` user. Otherwise the SSH authentication cannot work inside the container.
346
+
- Mount `/home/git/.ssh` of the host into the container. This ensures that the `authorized_keys` file is shared between the host `git` user and the container `git` user otherwise the SSH authentication cannot work inside the container.
347
347
348
348
```yaml
349
349
volumes:
@@ -410,7 +410,7 @@ Here is a detailed explanation what is happening when a SSH request is made:
410
410
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
411
411
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
412
412
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
413
-
7. The first entry that matches will be selected, and asssuming this is a Gitea entry, the `command=` will now be executed.
413
+
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
414
414
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
415
415
9. This means that the host runs the host `/usr/local/bin/gitea` shim that opens an SSH from the host to container passing the rest of the command arguments directly to `/usr/local/bin/gitea` on the container.
416
416
10. Meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
@@ -425,9 +425,11 @@ SSH container passthrough using `authorized_keys` will work only if
425
425
426
426
If you try to run `gitea` on the host, you will attempt to ssh to the container and thence run the `gitea` command there.
427
427
428
+
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
429
+
428
430
### SSHing Shell (with authorized_keys)
429
431
430
-
In this option, the idea here is that the host simply uses the `authorized_keys` that gitea creates but at step 8 above we change the shell that the host runs to ssh directly into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
432
+
In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 8 above we change the shell that the host runs to ssh directly into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
431
433
432
434
- In this case we setup as per SSHing Shim except instead of creating `/usr/local/bin/gitea` or `/app/gitea/gitea`
433
435
we create a new shell for the git user. As an administrative user on the host run:
@@ -455,7 +457,7 @@ Here is a detailed explanation what is happening when a SSH request is made:
455
457
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
456
458
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
457
459
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
458
-
7. The first entry that matches will be selected, and asssuming this is a Gitea entry, the `command=` will now be executed.
460
+
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
459
461
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
460
462
9. The shell of the host `git` user is now our `ssh-shell` which opens an SSH connection from the host to container, (which opens a shell on the container for the container `git`).
461
463
10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
@@ -470,6 +472,8 @@ SSH container passthrough using `authorized_keys` will work only if
470
472
471
473
If you try to login as the `git` user on the host in future you will ssh directly to the docker.
472
474
475
+
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
476
+
473
477
### Docker Shell (with authorized_keys)
474
478
475
479
Similar to the above ssh shell technique we can use a shell which simply uses `docker exec`. As an administrative user on the host run:
@@ -494,12 +498,12 @@ Here is a detailed explanation what is happening when a SSH request is made:
494
498
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
495
499
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
496
500
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
497
-
7. The first entry that matches will be selected, and asssuming this is a Gitea entry, the `command=` will now be executed.
501
+
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
498
502
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
499
503
9. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container.
500
504
10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
501
505
502
-
Note that `gitea` in the docker command above is the name of the container. If you named yours differently, don't forget to change that. The host `git` user also have to have
506
+
Note that `gitea` in the docker command above is the name of the container. If you named yours differently, don't forget to change that. The host `git` user also has to have
503
507
permission to run `docker exec`.
504
508
505
509
**Notes**
@@ -619,4 +623,6 @@ SSH container passthrough using `AuthorizedKeysCommand` will work only if
619
623
620
624
If you try to login as the `git` user on the host in future you will `ssh` directly to the docker.
621
625
626
+
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
0 commit comments