git ssh does not work for users with upper case letters #483
Description
I am trying to use ssh to clone a public gist I created for testing.
cloning with https work fine but ssh is not working.
I use haproxy as reverse proxy but the problem is not the reverse proxy since even using a direct connection to host gives the same output.
testing the ssh connection
My compose
opengist:
image: ghcr.io/thomiceli/opengist:latest
container_name: git_opengist
healthcheck:
# test: |
# curl -ILkfs --max-time 3 https://localhost:9898/ping > /dev/null \
# || curl -ILfs --max-time 3 http://localhost:8989/ping > /dev/null \
# || exit 1
test: |
curl -Lkfs --max-time 3 http://localhost:6157/healthcheck > /dev/null \
|| exit 1
start_period: 10s
interval: 30s
timeout: 20s
retries: 3
depends_on:
postgres:
condition: service_healthy
environment:
TZ: ${TZ}
OG_DB_URI: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:${POSTGRES_PORT}/${POSTGRES_OPENGIST_DB}
OG_EXTERNAL_URL: ${OG_EXTERNAL_URL}
OG_HTTP_PORT: ${OG_HTTP_PORT}
OG_SSH_PORT: ${OG_SSH_PORT}
OG_GITEA_CLIENT_KEY: ${OG_GITEA_CLIENT_KEY}
OG_GITEA_SECRET: ${OG_GITEA_SECRET}
OG_GITEA_URL: https://${GITEA_DOMAIN}
OG_GITEA_NAME: ${OG_GITEA_NAME}
OG_METRICS_ENABLED: false
OG_LOG_LEVEL: debug
volumes:
- /srv/docker/git/opengist:/opengist
networks:
- git_network
extra_hosts:
- "host.docker.internal:host-gateway"
ports:
- "${OG_HTTP_PORT}:${OG_HTTP_PORT}" # HTTP
- "${OG_SSH_PORT}:${OG_SSH_PORT}" # SSH
restart: unless-stoppedand the envs:
### OPENGIST CONFIGURATION ###
OG_EXTERNAL_URL=https://gist.domain.org
OG_HTTP_PORT=6157
OG_SSH_PORT=11223checking the ssh connection:
telnet gist.domain.org 11223
Trying 172.31.255.20...
Connected to gist.domain.org.
Escape character is '^]'.
SSH-2.0-Go
Connection closed by foreign host.
so ssh over the reverse proxy works
I've already added my keys to my user.
trying ssh
ssh -p 11223 [email protected]
Successfully connected to Opengist SSH server.
Connection to gist.domain.org closed.
everything looks good, the server is accepting the keys and connects over ssh.
now, creating a public gist called test and set the url to test.
the ssh url on the opengist is
ssh://gist.domain.org:11223/Emx/test.git
Emx is my user which is coming from Gitea oauth.
then trying to clone it
git clone --verbose ssh://gist.domain.org:11223/Emx/test.git
Cloning into 'test'...
Opengist: gist not found
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Deletion of directory 'test' failed. Should I try again? (y/n)
trying git clone directly without reverse proxy to remove the complications. (since the port numbers are the same, this should also work)
git clone --verbose ssh://dockerhost.domain.org:11223/Emx/test.git
Cloning into 'test'...
Opengist: gist not found
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
the issue remains.
configuration:
and the local
git version 2.50.0.windows.1
There is nothing on the opengist logs. No failures or warnings.
I have tested this further by creating a temporary user with name all lower case . I think the issue is the upper case letter in the Gitea User Emx
When there is a upper case letter in the username, opengist does not normalize this or it needs to respect the upper case letter when creating the repos due to linux case sensitivity.
I have tried to change this username to emx but it gave me internal error. Then I changed this to emx1 first, then changed it again to emx.
Now it is all lower case.
Tried again with git clone
now it works
Cloning into 'test'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 4), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (4/4), done.
Additionally, I have noticed one more thing which can be considered a security issue.
When a ssh key is added for user1, you cannot add the same key for user2. However, server accepts all keys regardless of the user. So technically, user1 can access to all private repos of all other users. I am not really sure if I missed anything here since I don't have enough knowledge about the topic.
Edit: One more thing, apparently if the repo name contains upper case letters, the same thing happens.