Proposal: support ssh certificates #12224

42wim · 2020-07-12T16:59:12Z

Description

This way users can get access without uploading a public ssh key, instead they are verified against a ssh CA.

This will need extra sshd configuration like this

AuthorizedPrincipalsFile .ssh/authorized_principals
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

.ssh/authorized_principals basically need to output the same as the authorized_keys file eg

command="/app/gitea/gitea serv key-1 --config='/data/gitea/conf/app.ini'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty principal

The difference is the principal instead of the ssh key, this should match the valid principals in your ssh certificate.

In our case this will match with the usernames in gitea.

In the GUI there should be an option for a user to:

In the configfile, there should be an option to specify the system-wide CA (the contents of /etc/ssh/trusted-user-ca-keys.pem)

It's possible to fit this in the public_key table by putting the correct principal in the content field instead of the ssh-key

I'm prepared to work on this.

The text was updated successfully, but these errors were encountered:

lunny added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Jul 13, 2020

42wim mentioned this issue Jul 20, 2020

Add ssh certificate support #12281

Merged

techknowlogick closed this as completed in #12281 Oct 11, 2020

go-gitea locked and limited conversation to collaborators Nov 24, 2020