It’s possible to connect to a remote host over SSH using a public key. It’s a well-known feature
which I use every day. SSH protocol is also used for the git clone command. I was curious about
how Gitea implements the support of the SSH protocol. The first idea was about the custom SSH
server. I’d inspected my local Gitea installation and found that there was no custom SSH server
running, just the default sshd. Surprisingly, when I performed the command ssh git@gitea I got
the message:
Hi there, <username>! You’ve successfully authenticated with the key named <key name>, but Gitea does not provide shell access. If this is unexpected, please log in with password and setup Gitea under another user.
I’d looked at the source code of the Gitea and found
serv.go.
This module allows to perform git clone over SSH, but who calls it? I looked at the
.ssh/authorized_keys file in the Gitea home directory and get such a line:
command="/usr/local/bin/gitea --config=/etc/gitea/app.ini serv key-1",... ssh-rsa ...
man authorized_keys explains that command option specifies the command is executed instead of
the default shell. So when I write git clone git starts SSH connection and OpenSSH server checks
my key and if it’s OK starts Gitea serv module.
This OpenSSH feature allows to restrict certain public keys to perform just a specific operation. E.g. I can create a key and specify the command that calculates some server statistics. So if this key is compromised, the intruder can get only server statistics but can’t execute arbitrary code.
There are a lot more options for the authorized_keys file. I think the man page is worth reading.
I got a lot of new info about the utility I use for a long time.