Make internal SSH server host key path configurable (#14918)

* Make SSH server host key path configurable * make it possible to have multiple keys * Make gitea.rsa the default key * Add some more logging Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-10-31 10:56:10 +01:00 · 2021-03-08 02:43:59 +00:00
parent 78b7529cd4
commit c03f530212
10 changed files with 62 additions and 40 deletions
--- a/modules/ssh/ssh.go
+++ b/modules/ssh/ssh.go
@@ -259,28 +259,38 @@ func Listen(host string, port int, ciphers []string, keyExchanges []string, macs
 		},
 	}

-	keyPath := filepath.Join(setting.AppDataPath, "ssh/gogs.rsa")
-	isExist, err := util.IsExist(keyPath)
-	if err != nil {
-		log.Fatal("Unable to check if %s exists. Error: %v", keyPath, err)
+	keys := make([]string, 0, len(setting.SSH.ServerHostKeys))
+	for _, key := range setting.SSH.ServerHostKeys {
+		isExist, err := util.IsExist(key)
+		if err != nil {
+			log.Fatal("Unable to check if %s exists. Error: %v", setting.SSH.ServerHostKeys, err)
+		}
+		if isExist {
+			keys = append(keys, key)
+		}
 	}
-	if !isExist {
-		filePath := filepath.Dir(keyPath)
+
+	if len(keys) == 0 {
+		filePath := filepath.Dir(setting.SSH.ServerHostKeys[0])

 		if err := os.MkdirAll(filePath, os.ModePerm); err != nil {
 			log.Error("Failed to create dir %s: %v", filePath, err)
 		}

-		err := GenKeyPair(keyPath)
+		err := GenKeyPair(setting.SSH.ServerHostKeys[0])
 		if err != nil {
 			log.Fatal("Failed to generate private key: %v", err)
 		}
-		log.Trace("New private key is generated: %s", keyPath)
+		log.Trace("New private key is generated: %s", setting.SSH.ServerHostKeys[0])
+		keys = append(keys, setting.SSH.ServerHostKeys[0])
 	}

-	err = srv.SetOption(ssh.HostKeyFile(keyPath))
-	if err != nil {
-		log.Error("Failed to set Host Key. %s", err)
+	for _, key := range keys {
+		log.Info("Adding SSH host key: %s", key)
+		err := srv.SetOption(ssh.HostKeyFile(key))
+		if err != nil {
+			log.Error("Failed to set Host Key. %s", err)
+		}
 	}

 	go listen(&srv)
@@ -291,7 +301,7 @@ func Listen(host string, port int, ciphers []string, keyExchanges []string, macs
 // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
 // Private Key generated is PEM encoded
 func GenKeyPair(keyPath string) error {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return err
 	}