diff --git a/modules/ssh/init.go b/modules/ssh/init.go index 432cda0c13..ebc17de69c 100644 --- a/modules/ssh/init.go +++ b/modules/ssh/init.go @@ -85,7 +85,9 @@ func Init(ctx context.Context) error { detailConcat := strings.Join(unexpectedKeys, "\n\t") log.Fatal("An unexpected ssh public key was discovered. Forgejo will shutdown to require this to be fixed. Fix by either:\n"+ "Option 1: Delete the file %s, and Forgejo will recreate it with only expected ssh public keys.\n"+ - "Option 2: Permit unexpected keys by setting [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true in Forgejo's config file.\n\t"+ + "Option 2: Permit unexpected keys by setting [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true in Forgejo's config file.\n"+ + "Option 3: If unused, disable SSH support by setting [server].DISABLE_SSH=true in Forgejo's config file.\n"+ + "\t"+ detailConcat, filepath.Join(setting.SSH.RootPath, "authorized_keys")) } } diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json index e1b9125e7f..7dee8fa37e 100644 --- a/options/locale_next/locale_en-US.json +++ b/options/locale_next/locale_en-US.json @@ -115,6 +115,8 @@ "alert.asset_load_failed": "Failed to load asset files from {path}. Please make sure the asset files can be accessed.", "alert.range_error": " must be a number between %[1]s and %[2]s.", "install.invalid_lfs_path": "Unable to create the LFS root at the specified path: %[1]s", + "install.ssh_authorized_keys_inspection_error": "Failed to inspect existing authorized_keys file: %v", + "install.ssh_authorized_keys_unexpected_key": "Enabling SSH for Forgejo conflicts with the file located at %s that contains existing SSH keys. Suggestions: use a dedicated system user for Forgejo, or disable SSH.", "profile.actions.tooltip": "More actions", "profile.edit.link": "Edit profile", "feed.atom.link": "Atom feed", diff --git a/routers/init.go b/routers/init.go index 7c52a6d6b6..adea646672 100644 --- a/routers/init.go +++ b/routers/init.go @@ -9,7 +9,6 @@ import ( "runtime" "forgejo.org/models" - asymkey_model "forgejo.org/models/asymkey" auth_model "forgejo.org/models/auth" "forgejo.org/modules/cache" "forgejo.org/modules/eventsource" @@ -95,10 +94,6 @@ func syncAppConfForGit(ctx context.Context) error { if updated { log.Info("re-sync repository hooks ...") mustInitCtx(ctx, repo_service.SyncRepositoryHooks) - - log.Info("re-write ssh public keys ...") - mustInitCtx(ctx, asymkey_model.RewriteAllPublicKeys) - return system.AppState.Set(ctx, runtimeState) } return nil diff --git a/routers/install/install.go b/routers/install/install.go index 63a3f965f4..243f4a8f19 100644 --- a/routers/install/install.go +++ b/routers/install/install.go @@ -15,6 +15,7 @@ import ( "strings" "time" + "forgejo.org/models/asymkey" "forgejo.org/models/db" db_install "forgejo.org/models/db/install" "forgejo.org/models/gitea_migrations" @@ -403,6 +404,25 @@ func SubmitInstall(ctx *context.Context) { } else { cfg.Section("server").Key("DISABLE_SSH").SetValue("false") cfg.Section("server").Key("SSH_PORT").SetValue(fmt.Sprint(form.SSHPort)) + + sshKeyErrors, err := asymkey.InspectPublicKeys(ctx) + if err != nil { + ctx.RenderWithErr(ctx.Tr("install.ssh_authorized_keys_inspection_error", err), tplInstall, &form) + return + } + + var authorizedKeysWillCauseFatalError bool + for _, finding := range sshKeyErrors { + if finding.Type == asymkey.InspectionResultUnexpectedKey { + // Any single finding of this type would cause `ssh.Init` to have a fatal error on Forgejo startup, so + // let's note it here while the install page is still usable and allow users to deal with it. + authorizedKeysWillCauseFatalError = true + } + } + if authorizedKeysWillCauseFatalError { + ctx.RenderWithErr(ctx.Tr("install.ssh_authorized_keys_unexpected_key", filepath.Join(setting.SSH.RootPath, "authorized_keys")), tplInstall, &form) + return + } } if form.LFSRootPath != "" {