this post was submitted on 24 Aug 2024
9 points (84.6% liked)

Selfhosted

59973 readers
464 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
9
[Question] git SSH through Tailscale sidecar container? (midwest.social)
submitted 2 years ago* (last edited 2 years ago) by thegreekgeek@midwest.social to c/selfhosted@lemmy.world
6 comments fedilink hide all child comments
 

Hey all!

I posted this to /c/tailscale yesterday and I figured I'd post it here to get some more visibility.

I'm trying to ssh into my tailnet-hosted (through tailscale serve) gogs instance and I can't seem to figure out how. Has anyone tried doing this? Will I need to add a user to the sidecar container and add a shim like they do in the regular gogs setup? I appreciate any insight.

Edit: Added tag and modified title for clarity.

you are viewing a single comment's thread
view the rest of the comments
[–] thegreekgeek@midwest.social 2 points 2 years ago (1 children)

Ope sorry, right now I just have the serve config doing a redirect of port 22, however when I try to SSH in I get rejected by tailscale ACL. Says there's no user named git.

If I followed the steps for the vanilla docker setup I'd add a git user to the host and softlink the host authorized_keys file to the gogs container's version, as well as add a shim script to forward the command into the container using the docker exec command, but I'd rather not do that by mucking about in the sidecar if there's a better way. The tailscale universal docker mod for linuxserver.io says they have ssh access for their containers but as far as I can tell it just pops in the --ssh flag in tailscale up.

[–] just_another_person@lemmy.world 2 points 2 years ago (1 children)

If it's reaponding about the git user, then it's an auth failure. That's about all I could tell you without some logs.

[–] thegreekgeek@midwest.social 1 points 2 years ago (1 children)

Yeah and I figured that was the case. I'm just trying to figure out the best practice for my use case would be as I'd rather not have to build a new container. Also I've included the vvverbose output of the SSH attempt below.

❯ ssh -vvvT git@gogs.tailacbd65.ts.net OpenSSH_9.8p1, OpenSSL 3.2.1 30 Jan 2024 debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/data/data/com.termux/files/home/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/data/data/com.termux/files/home/.ssh/known_hosts2' debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug2: resolving "gogs.tailacbd65.ts.net" port 22 debug3: resolve_host: lookup gogs.tailacbd65.ts.net:22 debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to gogs.tailacbd65.ts.net [100.126.96.115] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519 type 3 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.8 debug1: Remote protocol version 2.0, remote software version Tailscale debug1: compat_banner: no match: Tailscale debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to gogs.tailacbd65.ts.net:22 as 'git' debug1: load_hostkeys: fopen /data/data/com.termux/files/home/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: no algorithms matched; accept original debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com lman-group14-sha1,kex-strict-s-v00@openssh.com debug2: host key algorithms: rsa-sha2-256,rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: kex_choose_conf: will use strict KEX ordering debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:obfuscation! debug1: load_hostkeys: fopen /data/data/com.termux/files/home/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2: No such file or directory debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/data/data/com.termux/files/home/.ssh/known_hosts" debug3: hostkeys_foreach: reading file "/data/data/com.termux/files/home/.ssh/known_hosts" debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/data/data/com.termux/files/home/.ssh/known_hosts2" debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/home/.ssh/known_hosts2 does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts" debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2" debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2 does not exist The authenticity of host 'gogs.tailacbd65.ts.net (100.126.96.115)' can't be established. ED25519 key fingerprint is SHA256:obfuscation!. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'gogs.tailacbd65.ts.net' (ED25519) to the list of known hosts. ha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug3: kex_input_ext_info: extension server-sig-algs debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss> debug3: kex_input_ext_info: extension ping@openssh.com debug1: kex_ext_info_check_ver: ping@openssh.com=<0> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: tailscale debug3: start over, passed a different list tailscale debug3: preferred publickey,keyboard-interactive,password debug1: No more authentication methods to try. git@gogs.tailacbd65.ts.net: Permission denied (tailscale).

[–] just_another_person@lemmy.world 1 points 2 years ago (1 children)

You've got a lot of errors in there, and it's hard to tell which may be the culprit. I'm going to guess your keys can't be read. I'd go back through the setup steps and make sure your PUBLIC key is setup properly for the git user.

[–] thegreekgeek@midwest.social 1 points 2 years ago

Well that's the thing, there's no git user. I'm trying to directly ssh into the gogs container through the tailscale sidecar container via the tailnet, so I'm not going through the host machine. I'm just trying to see if there's a way I can do it that's a bit less fiddly than having to rebuild the container with the right user and whatnot.