kgess-mirror/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-01-16 23:12:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 19
Beyond coding. We forge.
23973 commits 28 branches 271 tags 214 MiB
Find a file
mfenniak 99dd35d3e4 feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 
A security vulnerability that was fixed in #9840 had the potential to corrupt the `authorized_keys` file that Forgejo is managing to allow ssh access.  In the event that it was corrupted, the existing behaviour of Forgejo is to maintain the contents that it finds in the `authorized_keys` file, potentially making an exploit of a Forgejo server persistent despite attempts to rewrite the key file.

This feature adds a new layer of security resiliency in order to prevent persistent ssh key corruption.  When Forgejo starts up, if relevant, Forgejo will read the `authorized_keys` file and validate the file's contents.  If any keys are found in the file that are not expected, then Forgejo will terminate its startup in order to signal to the server administrator that a critical security risk is present that must be addressed:

```
2025/11/07 10:13:50 modules/ssh/init.go:86:Init() [F] An unexpected ssh public key was discovered. Forgejo will shutdown to require this to be fixed. Fix by either:
Option 1: Delete the file /home/forgejo/.ssh/authorized_keys, and Forgejo will recreate it with only expected ssh public keys.
Option 2: Permit unexpected keys by setting [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true in Forgejo's config file.
        Unexpected key on line 1 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 2 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 3 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 4 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 5 of /home/forgejo/.ssh/authorized_keys
```

As noted in the log message, the server administrator can address this problem in one of two ways:
- If they delete the file that contains the unexpected keys, Forgejo will regenerate it containing only the expected keys from the Forgejo database.
- If they would like to run their server with ssh keys that are not managed by Forgejo (for example, if they're reusing a `git` ssh user that is accessed through `git@server` and does not invoke Forgejo's ssh handlers), then they can disable the new security check by setting `[server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS = true` in their `app.ini`.

**This is a breaking change**: the default behaviour is to be restrictive in the contents of `authorized_keys` in order to ensure that server administrators with unexpected keys in `authorized_keys` are aware of those keys.

If `SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=false`, then the behaviour when Forgejo rewrites the `authorized_keys` file is changed to not maintain any unexpected keys in the file.  If the value is `true`, then the old behaviour is retained.

The `doctor check` subcommand is updated to use the new validity routines:
```
[4] Check if OpenSSH authorized_keys file is up-to-date
 - [E] Unexpected key on line 1 of /home/forgejo/.ssh/authorized_keys
 - [E] Key in database is not present in /home/forgejo/.ssh/authorized_keys: ...
 - [E] authorized_keys file "/home/forgejo/.ssh/authorized_keys" contains validity errors.
Regenerate it with:
        "forgejo admin regenerate keys"
or
        "forgejo doctor check --run authorized-keys --fix"
ERROR
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - **Documentation updates required**; pending initial reviews of this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10010
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: mfenniak <mfenniak@noreply.codeberg.org>
Co-committed-by: mfenniak <mfenniak@noreply.codeberg.org>
2025-11-09 01:06:04 +01:00
.devcontainer fix: update devcontainer tag to go:1.25-trixie (#9888) 2025-10-29 10:25:30 +01:00
.forgejo Update renovate to v41.169.1 (forgejo) (#9944) 2025-11-03 09:22:04 +01:00
assets Update module code.forgejo.org/forgejo/runner/v11 to v11.3.1 (forgejo) (#10018) 2025-11-08 04:00:23 +01:00
build chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
cmd chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
contrib chore: rename 'forgejo_migrations' to 'forgejo_migrations_legacy' 2025-10-14 14:40:49 -06:00
custom/conf feat: replace cross origin protection (#9830) 2025-10-29 22:43:22 +01:00
docker bugfix check for alternate ssh host certificate location (#34146) 2025-04-14 15:53:35 +02:00
models feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
modules feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
options feat: convert create/rename branch and create tag to native dialog (#9760) 2025-10-30 21:06:14 +01:00
public Add support for migrating from Pagure (#8513) 2025-08-11 16:56:26 +02:00
release-notes feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
release-notes-published chore(release-notes): Forgejo v13.0.2 (#9859) 2025-10-26 07:26:56 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
services feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
templates fix(ui): replace obsolete gt- helpers (#9964) 2025-11-08 18:21:05 +01:00
tests fix(ui): replace obsolete gt- helpers (#9964) 2025-11-08 18:21:05 +01:00
tools chore: remove gopls in Makefile (#8205) 2025-06-17 08:28:26 +02:00
web_src fix(ui): replace obsolete gt- helpers (#9964) 2025-11-08 18:21:05 +01:00
.air.toml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.deadcode-out fix: prevent orgs from being added as members of orgs (#9757) 2025-11-08 22:05:21 +01:00
.dockerignore fix: Dockerfile should re-use bindata files when possible 2025-06-13 14:00:57 +02:00
.editorconfig Cover go.mod and go.sum in .editorconfig (#33960) 2025-04-01 02:28:02 +02:00
.envrc.example Make direnv optional to let developers use their own direnv configuration 2024-11-06 20:34:49 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore feat(build): improve lint-locale-usage further (#8736) 2025-08-27 23:47:34 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml chore: release-notes-assistant: there may be three supported releases (#9480) 2025-09-30 14:20:22 +02:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile feat: Makefile & BSDmakefile changes (#7455) 2025-04-27 10:04:32 +00:00
CODEOWNERS feat(build): add support for the base.Messenger, $.locale.Tr, Form structs to lint-locale-usage (#9095) 2025-09-30 03:25:45 +02:00
CONTRIBUTING.md docs: replace Developer Guide link with the new Contributor Guide one. 2024-08-26 13:22:39 +03:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update data.forgejo.org/oci/golang Docker tag to v1.25 (forgejo) (#9823) 2025-10-23 17:50:35 +02:00
Dockerfile.rootless Update data.forgejo.org/oci/golang Docker tag to v1.25 (forgejo) (#9823) 2025-10-23 17:50:35 +02:00
eslint.config.mjs feat: run tsc in CI (#9574) 2025-10-10 15:48:45 +02:00
flake.lock refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
flake.nix refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
go.mod Update module code.forgejo.org/forgejo/runner/v11 to v11.3.1 (forgejo) (#10018) 2025-11-08 04:00:23 +01:00
go.sum Update module code.forgejo.org/forgejo/runner/v11 to v11.3.1 (forgejo) (#10018) 2025-11-08 04:00:23 +01:00
LICENSE Forgejo v9.0 is GPLv3+ 2024-08-22 09:09:29 +02:00
main.go fix: do not mix urfave v2 with urfave v3 (#8168) 2025-06-12 15:38:03 +02:00
Makefile Update renovate to v41.169.1 (forgejo) (#9944) 2025-11-03 09:22:04 +01:00
manifest.scm Add a GNU Guix manifest (#8038) 2025-06-03 08:08:17 +02:00
package-lock.json Update dependency clippie to v4.1.9 (forgejo) (#10016) 2025-11-08 12:37:52 +01:00
package.json Update dependency clippie to v4.1.9 (forgejo) (#10016) 2025-11-08 12:37:52 +01:00
playwright.config.ts tests(e2e): Prepare for visual regression testing 2024-12-10 18:12:36 +01:00
README.md chore: fix a few typos in the documentation (#9134) 2025-09-04 01:53:40 +02:00
release-notes-assistant.sh chore: improve the wording of the "not worth a release note" category (#8542) 2025-07-18 07:19:15 +02:00
RELEASE-NOTES.md chore(release-notes): fix release notes of chroma update in v8.0.0 2025-10-05 17:10:38 +05:00
renovate.json chore: make renovate work on v13 forgejo (#9679) 2025-10-14 10:43:22 +02:00
shell.nix chore: add missing gotestsum to nix dev shell (#9169) 2025-09-05 01:24:45 +02:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js fix: Do not scan all Go files for tailwind classes 2024-08-24 15:45:50 +02:00
tsconfig.json Add typescript 2024-10-29 18:15:09 +01:00
vitest.config.ts Update vitest monorepo to v4 (forgejo) (major) (#9814) 2025-10-23 01:47:14 +02:00
webpack.config.js Update dependency htmx.org to v2 (forgejo) (#8342) 2025-06-29 13:52:24 +02:00

README.md

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of built-in functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

License

Forgejo is distributed under the terms of the GPL version 3.0 or any later version.

The agreement for this license was documented in June 2023 and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.