Ssh only works for ldap users?

I have a gitea server running on my FB which offers to clone repos via ssh using the user git.

Problem Description
While ssh is running fine with my FB users, and the pubkey authorization also seems to work with the uploaded to gitea pubkey the connection is closed by the server immediately.

ssh git@<mydomain>.net

Connection closed by 92.116.13.6 port 22

Steps to Reproduce

  1. If it hasn’t yet your git user needs a home folder containing a .ssh/authorized_keys file.
    With .ssh on 0700 and authorized_keys 0600 permissions.
  2. Install gitea according to https://docs.gitea.io/en-us/install-from-binary/
  3. (Reverse)Proxy the gitea server to <yourdomain.com>/gitea (e.g.) like we wrote at [Solved] HowTo setup a subdomain and reverse proxy in FBox?
  4. Register a user and add a ssh pubkey in its settings.
  5. Don’t use the builtin ssh-server in gitea but the one on freedombox in app.ini
  6. Try to connect to user git via ssh
ssh git@<yourdomain.com>

Expected Results
I should be able to login, shouldn’t I? Or at least I should be able to git pull or clone under that address which also doesn’t work.

Actual results
As stated above the Connection is closed immediately.

ssh -vvv

[snip]
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:[some key]
debug3: sign_and_send_pubkey: RSA SHA256:[the exact same key]
debug3: send packet: type 50
Connection closed by 92.116.13.6 port 22

I ask myself it that can have to do with the user administration in Freedombox? As I can perfectly login as an FB-user but not with the system-user git.

Information

  • FreedomBox version: 20.5
  • Hardware: odroidxu4
  • How did you install FreedomBox?: Repository, apt, on Debian10 (Armbian)

So for now I tried a lot to make this work. And have some things to add to OP:

  • I gave the git user a password and opened the sshd for password authentification. I could not log into ssh with password.
    • It threw the exact same message when using ssh -vvv
  • Still logging in with my main user works without any problem.
  • I guess that means that the problem is absolutely not gitea specific but due to the configuration of sshd.

So I ask myself (and whomever it may concern) what might be the difference between my FB-user and the system user git.

groups myuser shows that he belongs to
users turnserver admin bit-torrent web-search wiki git-access
while the same for git throws
git ssh whereas I myself have put git into ssh group.

As far as I understand the main user groups aren’t found in /etc/group I cannot put git e.g. into the admin group. And I’m not sure if that means that I have to get git into that ldap-groups by anyway to make ssh work for user git.

Any expertise welcome! :exploding_head:

Please check the System > Security page, there is an option to “Restrict console logins”. If enabled, it restricts SSH login to users in the “admin” group.

1 Like

YES! That fixed it. Thanks for saving me lots of hours of further trial and error.

Is there a way to keep that restriction and only put git into admin group?

1 Like