Skip to content

Fix regression in writing authorized principals #36213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wxiaoguang merged 4 commits into from
Dec 20, 2025
Merged

Fix regression in writing authorized principals #36213

wxiaoguang merged 4 commits into from
Dec 20, 2025
+126 −7

Conversation

@peterverraedt
Copy link
Contributor

@peterverraedt peterverraedt commented Dec 19, 2025

Commit ac6d38e introduced a regression in writing of the authorized_principals file, resulting in an empty file.

The function regeneratePrincipalsKeys in
services/asymkey/ssh_key_authorized_principals.go calls the function WriteAuthorizedStringForValidKey for a PublicKey of type KeyTypePrincipal, and ssh.ParseAuthorizedKey would always fail.

This commit adds additional logic to this function to restore the previous behaviour when writing the principals file.

Fixes: #36212

@peterverraedt
Fix regression in writing authorized principals
da57fc2 
Commit ac6d38e introduced a regression
in writing of the authorized_principals file, resulting in an empty file.

The function `regeneratePrincipalsKeys` in
`services/asymkey/ssh_key_authorized_principals.go` calls the function
`WriteAuthorizedStringForValidKey` for a PublicKey of type
KeyTypePrincipal, and ssh.ParseAuthorizedKey would always fail.

This commit adds additional logic to this function to restore the
previous behaviour when writing the principals file.

Fixes: 36212

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 19, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Dec 19, 2025
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 19, 2025

The ParseAuthorizedKey was used to validate a key to make sure there is no malicious code (for example: \n in the content will break the SSH key files)

Actually we don't really need to use ParseAuthorizedKey , we can use a general regexp to validate the SSH key principal keys.

@peterverraedt
Copy link
Contributor Author

peterverraedt commented Dec 19, 2025

Gitea is using sshd_config's AuthorizedPrincipalsFile option:

Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the
certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). Empty lines and comments starting with ‘#’ are
ignored.

Specification of the accepted cert-authority is in the TrustedUserCAKeys file.

The man pages are not really clear on which principals are accepted. Clearly no newlines could be present inside an allowed principal, but I'm not sure about spaces etc.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 19, 2025

Hmm ... I remembered wrong (I am not really a authorized_principals user).

Can we have a regexp to validate the key.Content value before putting it into the authorized_principals file?

I can help to add more tests to cover the expected behaviors.

@peterverraedt
Copy link
Contributor Author

peterverraedt commented Dec 19, 2025

Added a dummy regular expression. I'll try to find any references in sshd code to see what should be the actual expression.

@peterverraedt peterverraedt force-pushed the fix-regression-authorized-principals branch from 9632d2b to 6e29350 Compare December 19, 2025 13:33
@peterverraedt
Add principals regular expression
00fe4b3 
Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
@peterverraedt peterverraedt force-pushed the fix-regression-authorized-principals branch from 6e29350 to 00fe4b3 Compare December 19, 2025 13:35
@wxiaoguang wxiaoguang force-pushed the fix-regression-authorized-principals branch from 12988c2 to 5d26d16 Compare December 19, 2025 13:48
@wxiaoguang wxiaoguang added this to the 1.26.0 milestone Dec 19, 2025
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 19, 2025

Thank you very much, and I added some tests.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 19, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 19, 2025
@wxiaoguang wxiaoguang enabled auto-merge (squash) December 20, 2025 00:55
@wxiaoguang wxiaoguang merged commit b4c9057 into go-gitea:main Dec 20, 2025
24 checks passed
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Dec 20, 2025
@peterverraedt @wxiaoguang @GiteaBot
Fix regression in writing authorized principals (go-gitea#36213)
cacc4c7 
Add additional logic with tests to restore the
previous behaviour when writing the principals file.

Fixes: go-gitea#36212

---------

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot mentioned this pull request Dec 20, 2025
Merged
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Dec 20, 2025
silverwind pushed a commit that referenced this pull request Dec 20, 2025
@GiteaBot @peterverraedt @wxiaoguang
Fix regression in writing authorized principals (#36213) (#36218)
e147a82 
Backport #36213 by peterverraedt

Fixes: #36212

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
Co-authored-by: Peter Verraedt <peter.verraedt@kuleuven.be>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
silverwind added a commit to silverwind/gitea that referenced this pull request Dec 20, 2025
@silverwind
Merge remote-tracking branch 'origin/main' into limit-repo-size
dfa02de 
* origin/main:
  Show edit page confirmation dialog on tree view file change (go-gitea#36130)
  Fix regression in writing authorized principals (go-gitea#36213)
  [skip ci] Updated translations via Crowdin
  Convert locale files from ini to json format (go-gitea#35489)
  Bump crowdin/github-action from 1 to 2 (go-gitea#36204)
  Bump appleboy/git-push-action from 0.0.3 to 1.0.0 (go-gitea#36194)
  Fix labeler config for stylelint (go-gitea#36199)
  Add `modifies/dependencies` label to dependabot (go-gitea#36206)
  Add date to "No Contributions" tooltip (go-gitea#36190)
  Revert "Bump alpine to 3.23 (go-gitea#36185)" (go-gitea#36202)
  Add JSON linting (go-gitea#36192)
  Bump setup-node to v6, re-enable cache (go-gitea#36207)
  [skip ci] Updated translations via Crowdin
  Update chroma to v2.21.1 (go-gitea#36201)
  Disable dependabot automatic labels (go-gitea#36203)
  Bump astral-sh/setup-uv from 6 to 7 (go-gitea#36198)
  Front port changelog (go-gitea#36193)
  Bump dev-hanz-ops/install-gh-cli-action from 0.1.0 to 0.2.1 (go-gitea#36195)
  Bump aws-actions/configure-aws-credentials from 4 to 5 (go-gitea#36196)
  Bump docker/build-push-action from 5 to 6 (go-gitea#36197)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

authorized_principals is empty (v1.25)

4 participants

@peterverraedt @wxiaoguang @lunny @GiteaBot